v-mileli
Thu Jul 10 03:21:00 PDT 2008
Hello,
Thanks for your post.
To get things clear in my head, please answer the following question:
1. On the DC that encountered the error, can you request any other
certificates successfully such as a user certificate via MMC?
If you receive the same error just like the one when you request the Domain
Controller, you can refer to the following troubleshooting steps:
1. Check DCOM configuration on the CA through running "DCOMCNFG" in the
command prompt. Right Click Component Services ---> Computers ---> My
Computer ---> Properties and check whether "Enable Distributed COM on this
computer" is selected in the Default Properties tab
2. There is a group that is created called CERTSVC_DCOM_ACCESS. Checked in
AD Users and Computers to verify that the members are Domain Users, Domain
Computers.
927066 Error message when a client computer requests a certificate
from a computer that is running Windows Server 2003 with Service Pack 1:
"The wizard cannot be started because of one or more of the following
conditions"
http://support.microsoft.com/kb/927066
3. Ensure the Domain Controllers group and Domain Admins group have the
read and enroll permissions on the Domain Controller template.
For your reference:
889101 Release notes for Windows Server 2003 Service Pack 1--->
Certificate Services: Effects of security enhancements to the DCOM protocol
http://support.microsoft.com/kb/889101
Hope it helps.
Sincerely,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.