CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not working 4

TheMSsForum.com: The Microsoft Software Forum

Dear all,

Have just implemented a W2003 pki for our 3 domain forest, the issuing CA is
a w2003 enterprise box, not a dc but installed as part of one of the child
domains in the forest under an enterprise admins account.

pkiview tells me everything is fine, and domain controllers are
auto-enrolling just fine within the child domain hosting the CA, outside in
the other child domains they aren't but thats an issue with Cert Publishers
membership that i am confident i can resolve by changing the scope of the
groups.

The problem i have is referenced in http://support.microsoft.com/kb/927066
but the fix does not work in our situation. The fix i am referring to is to
run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
Which it is. Running this generates no errors, but does not create the
group....

I feel i should also mention that our root domain within the forest was
upgraded from w2000 to 2003, but due to an administrative oversight, the
schema was updated to R2 before sp1 was applied to the schema master. Not
sure if this is related.

Essentially i need to have the group so i can add the relevant groups so my
users are able to request certificates, at the moment only ent admins can,
everyone else receives the following message

The wizard cannot be started because of one or more of the following
conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available
CAs.
- The available CAs issue certificates for which you do not have permissions.


Any ideas? Any advice welcomed!

Best,

Jim Bullock
Top

Re: CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not working 4 by Paul

Paul
Wed Feb 21 12:03:37 CST 2007

In article <3A1AB974-937C-4BF8-8C8B-1BD20CB2E6AF@microsoft.com>,
in the microsoft.public.security news group, =?Utf-8?B?
SmFtZXMgQnVsbG9jaw==?= <jimmerb@donotspam.donotspam> says...

> The problem i have is referenced in http://support.microsoft.com/kb/927066
> but the fix does not work in our situation. The fix i am referring to is to
> run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
> CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
> Which it is. Running this generates no errors, but does not create the
> group....
>
>

Step 4 is confusing. If the group doesn't exist, the command
will not create the group for you. You'll need to follow the
verification procedures in the preceding steps and actually
perform the configuration rather than just verifying the listed
settings.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea
Top

Re: CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not worki by jimmerb

jimmerb
Wed Feb 21 12:59:00 CST 2007

ah ok, so i create the group myself?

Thanks for the quick response paul, much appreciated.

"Paul Adare" wrote:

> In article <3A1AB974-937C-4BF8-8C8B-1BD20CB2E6AF@microsoft.com>,
> in the microsoft.public.security news group, =?Utf-8?B?
> SmFtZXMgQnVsbG9jaw==?= <jimmerb@donotspam.donotspam> says...
>
> > The problem i have is referenced in http://support.microsoft.com/kb/927066
> > but the fix does not work in our situation. The fix i am referring to is to
> > run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
> > CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
> > Which it is. Running this generates no errors, but does not create the
> > group....
> >
> >
>
> Step 4 is confusing. If the group doesn't exist, the command
> will not create the group for you. You'll need to follow the
> verification procedures in the preceding steps and actually
> perform the configuration rather than just verifying the listed
> settings.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca
> "The English language, complete with irony, satire, and sarcasm,
> has survived for centuries without smileys. Only the new crop of
> modern computer geeks finds it impossible to detect a joke that
> is not clearly labeled as such."
> Ray Shea
>
Top

RE: CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not working 4 by jimmerb

jimmerb
Wed Feb 21 16:25:16 CST 2007



Oddly, all the things i'm reading with regards the problems i'm having
getting users to be able to enrol certificates - seem to be about people
having problems with auto-enrollment for DC's, which seems to work perfectly
first time in this infrastructure.

Given the first CA is in one of the child domains as opposed to the root
domain, could this be part of my issue - to do with the permissions anyhow?

Not sure of sensible next step, any pointers appreciated.

Cheers,

Jim
"James Bullock" wrote:

> Dear all,
>
> Have just implemented a W2003 pki for our 3 domain forest, the issuing CA is
> a w2003 enterprise box, not a dc but installed as part of one of the child
> domains in the forest under an enterprise admins account.
>
> pkiview tells me everything is fine, and domain controllers are
> auto-enrolling just fine within the child domain hosting the CA, outside in
> the other child domains they aren't but thats an issue with Cert Publishers
> membership that i am confident i can resolve by changing the scope of the
> groups.
>
> The problem i have is referenced in http://support.microsoft.com/kb/927066
> but the fix does not work in our situation. The fix i am referring to is to
> run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
> CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
> Which it is. Running this generates no errors, but does not create the
> group....
>
> I feel i should also mention that our root domain within the forest was
> upgraded from w2000 to 2003, but due to an administrative oversight, the
> schema was updated to R2 before sp1 was applied to the schema master. Not
> sure if this is related.
>
> Essentially i need to have the group so i can add the relevant groups so my
> users are able to request certificates, at the moment only ent admins can,
> everyone else receives the following message
>
> The wizard cannot be started because of one or more of the following
> conditions:
> - There are no trusted certification authorities (CAs) available.
> - You do not have the permissions to request certificates from the available
> CAs.
> - The available CAs issue certificates for which you do not have permissions.
>
>
> Any ideas? Any advice welcomed!
>
> Best,
>
> Jim Bullock
>
>
Top