Cause 1The client computer is not a member of the CERTSVC_DCOM_ACCESS security group.
Cause 2You installed Windows Server 2003 Service Pack 1 (SP1) on a CA computer that resides in a Microsoft Windows 2000 forest.
You must prepare the Windows 2000 forest for Windows Server 2003 because there are new attributes added to the Certificates templates object in the schema.
To verify this cause, view any of the Certificate templates by using ADSIEdit.msc or by using LDP.exe. You may find that the following attributes are missing:
Cause 3You did not restart the Windows Server 2003-based CA computer after you added the following member groups to the CERTSVC_DCOM_ACCESS security group:
- Domain Users
- Domain Computers
- Enterprise Domain Controllers
Note You add the Enterprise Domain Controllers group if the Certificate Services service is running on a domain controller.
Resolution for cause 1To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can only add domain groups to it.
For example, if users and computers from another domain have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.
Note In this example, Contoso is a placeholder.
Notes on resolution for cause 1
- Certificate Services cannot automatically update the DCOM security settings for client computers from outside the certification authority's domain if the following conditions are true:
- The certification authority is installed on a domain controller.
- The enterprise consists of more than one domain.
- If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.
- If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.
Resolution for cause 2To resolve this issue, use one of the following methods, as appropriate for your situation.
Method 1Remove Windows Server 2003 SP1 from the CA computer.
- Use the Adprep.exe utility to run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command.
For more information about the Adprep.exe utility, visit the following Microsoft Web site:
- Type the following commands at a command prompt on the CA computer, and then press ENTER after each command:
- Regsvr32 /i:i /n /s %systemroot%\system32\certcli.dll
- Net Stop CertSvc
- Net Start CertSvc
Resolution for cause 3Restart the CA computer. If you again receive an error message that is mentioned in the "Symptoms" section, type the following commands at a command prompt on the CA computer, and then press ENTER after each command:
- Certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
- Net stop certsvc
- Net start certsvc
Article ID: 932457 - Last Review: Feb 4, 2008 - Revision: 1