Windows – Certificate Enrollment Fails

KB ID 0000921 

Problem

I first saw this problem a few years ago trying to get some Windows clients to auto enrol with server 2008, then this week my colleagues could not get  new 2019 Domain Controller to enrol for a Kerberos certificate, and the this was caused by the same problem.

Symtoms (RPC Error)

1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command;

[box]

certutil -pulse

[/box]

As you can see above, the first time I ran the command I got the following error;

CertUtil: -pulse command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

I then ran the command window ‘as administrator’ and it completed, this was the first inkling I had, that permissions were probably not right.

2. Run mmc on an affected machine, and add in the certificates (local computer*) snap-in. right click the ‘personal container’ > attempt to get the certificate you have published manually.

Problem seen on a Domain Controller (Attempting to get a Kerberos Certificate).

An error occurred while enrolling for a certificate.
The Certificate request could not be submitted to the certification authority

Url: {CA Server Path}

Error: the RPC server is unavailable. 0x80076ba (WIN32: 1722
RPC_S_SERVER_UNAVAILABLE)

Problem seen on Windows Client (attempting to enrol for a Computer Certificate).

*Or local user if you are auto enrolling user certificates.

At that point I on the Windows cliebntgot this error;

Active Directory Enrollment Policy
STATUS: Failed

The RPC server is unavailable.

Resolution (Windows Certificate RPC Error)

The most common cause for that error, is the membership of the ‘Certificate Service DCOM Access’ group is incorrect, check yours and make sure it matches the one below.

On the CA Server launch the Certification Authority management tool and look at the properties of the CA Server itself, on the security tab make sure yours looks like this, (Domain computer and domain controllers should have the ‘request certificates‘ rights).

Still on the CA Server, check the permissions on the C:Windows\System 32\certsrv directory, authenticated users should have Read & Execute rights.

This is the change that finally fixed mine: In active directory users and computers, locate the Builtin container, within it there is a group called ‘Users’. Make sure it contains Authenticated Users and INTERACTIVE.

Run a ‘gpupdate /force’ on your test client, and/or reboot it.

Related Articles, References, Credits, or External Links

NA

Windows – Unable to Move an OU

KB ID 0001336 

Problem

I was doing some AD redesign work for a client this week, and I needed to move an Organisational Unit (OU). However the domain had other ideas;

Active Directory Domain Services

Windows cannot move object {OU-Name} because: Access is denied.

It wasn’t a rights issue, (I was an Enterprise Administrator). 

Solution

As it turns out, it was the same problem I’d had back when Server 2008 first came out deleting an OU. Make sure you have enabled advanced features in Active Directory Users and Computers (View > Advanced Features). Then untick the following option;

You can now move the OU (Don’t forget to re-tick that option, once you’ve got it where you want it!)

Related Articles, References, Credits, or External Links

NA

Event ID 1202

KB ID 0000123 

Problem

Security policies are propagated with warning. 0x5 : Access is denied. Please look for more details in Troubleshooting section in Security Help.

This error typically occurs when the system has not been granted the correct permissions to update the access control list of a service. This may occur if the Administrator defines permissions for a service in a policy but does not grant the System account Full Control permissions.

Solution

1.         Start > run > regedit {enter}

2.         Navigate to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonGPExtensions{827D319E-6EAC-11D2-A4EA-00C04F7 9F83A}

3.         Create a new DWORD Value called ExtensionDebugLevel set its value to 2

4.         This creates a winlogon.log file that logs service logon errors.

5.         Refresh the machine policy secedit /refreshpolicy machine_policy /enforce

6.         Start > run > cmd {enter}

7.         Execute the following command find /i “error opening” %SYSTEMROOT%securitylogswinlogon.log

8.         This will tell you the name of the faulting service (get its name and google it to find out what it is eg IsmServ is the Microsoft Server Intersite Messaging service)

9.         If you only have one policy (default domain policy skip to Step 13

10.       Find out which policy is misconfigured on this service by executing the following command find /i “service” %SYSTEMROOT%securitytemplatespoliciesgpt*.*”

NB replace service with the service name you discovered in step 7

11.       Take a note of the GUID of the policy

for example for

GPOPath={6AC1786C-016F-11D2-945F-00C04FB984F9}MACHINE

The GUID is {6AC1786C-016F-11D2-945F-00C04FB984F9}

12.       In the 2K resource kit is a tool called gptool that will list the GUIDS and friendly names of all the policies to execute it “gpotool /verbose” locate the GUID and it will give you the policy name.

13        Start > run > dsa.msc {enter} > Right click domain > properties > group policy

14.       Open the appropriate group policy

15.       Navigate to Computer ConfigurationWindows SettingsSecurity SettingsSystem Services

16.       Locate the service you identified in step 8 > Right click > Properties > Edit Security

17.       Add the administrators group and SYSTEM and give both Full control > Exit Group Policy Editor

18.       Start > Run > Regedit {enter} Navigate to HKEY_LOCAL_MACHINESYSTEMControlSetServices

v19.       Below the services Key there is a subkey for every service locate the one for the service you identified in step 8

20.       Expand the appropriate key for the faulting service key and delete the “Security” subkey.

21.       Reboot the server.

Related Articles, References, Credits, or External Links

NA

Event ID 13

KB ID 0000520 

Problem

Seen every few hours in the application log:

Source: AutoEnrollment Description: Automatic certificate enrollment for the local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

Solution

1. Go to your domain controller > Open Active Directory users and computers > Locate the CERTSVC_DCOM_ACCESS group.

2. Add in the “Domain Controllers” group.

3. On your Certification Authority Server > drop to command line and issue the following three commands.

[box]

certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc 

[/box]

Related Articles, References, Credits, or External Links

NA

Can’t Delete a File or Folder or Take Ownership

KB ID 0000887 

Problem

I have a portable drive that I carry in my laptop bag that has all the service packs and iso images that I might need. The problem is when I install service packs and updates on clients servers and PC’s, they have a habit of creating folders on my portable drive that are a pain to delete. While tidying up the drive today, it was telling me I did not have the rights to do so. When I tried to take ownership of the folder this happened;

An error occurred while applying security information to
{Foldername}
Failed to enumerate objects in the container. Access is denied.

Solution

1. Open a command window (Note: Ensure you select ‘Run As Administrator‘).

2. Issue the following commands, replace the ‘Path’ to the foldername, with your own.

[box]

takeown /f F:foldername /r /d y
icacls F:foldername /grant administrators:F /T
rmdir F:foldername /S /Q

[/box]

Related Articles, References, Credits, or External Links

NA