2008 RC1 DC: DomainControllerAuthentication Certificate Request error

after installing secondary domain controller (windows 2008 core rc1) in existing domain (forest, domain functional levels: windows 2003, root dc: windows 2003 sp2), keep getting following errors in new dc's event log:

 

certificate enrollment local system failed enroll domaincontrollerauthentication certificate internal.fqdn\caname (the rpc server unavailable. 0x800706ba (win32: 1722)).

 

certificate enrollment local system failed enroll directoryemailreplication certificate internal.fqdn\caname (the rpc server unavailable. 0x800706ba (win32: 1722)).

 

the key distribution center (kdc) cannot find suitable certificate use smart card logons, or kdc certificate not verified. smart card logon may not function correctly if problem not resolved. correct problem, either verify existing kdc certificate using certutil.exe or enroll new kdc certificate.

 

i have verified domain controller certificate template provides enroll, autoenroll allow permissions "domain controllers" , "enterprise domain controllers".

there not failed requests in ca.

 

domain controller certificate template properties:
certificate purposes: client authentication, server authentication, smart card logon
include e-mail address: no
public key usage list: digital signature, key encipherment
public key usage critical: no
publish in active directory: no
object identifier: 1.3.6.1.4.1.311.21.8.2326345.5972755.6701730.12454250.14293220.59.1.28
subject type: computer
major version number: 110
minor version number: 0

 

any appreciated.

 

yp

we have seen vista clients trying register v2 templates agains 2003 cas , suspect same issue present in windows server 2008.  following steps should resolve this:

 

1. please check ensure new security group, certsvc_dcom_access, has been created after windows server 2003 sp1 or later has been applied.
2. please add "domain users", "domain computers", "domain controllers" groups new certsvc_dcom_access security group.
3. can have certificate services update dcom security settings running following commands:

certutil -setreg setupstatus -setup_dcom_security_updated_flag
net stop certsvc
net start certsvc.

 

this should resolve error , knowledge base article in process document this.  please let know if resolves issue.

 

thanks,

 

-steve

Windows Server  >  Directory Services