Tech Tip Logo   Technical Tip

Server 2003 DC Autoenrollment gives error 13

This is usually caused by permissions issues within the DCOM system on 2003 server. Typically, it occurs when one or more DC/GC is running SP1, or mismatched service packs.

To fix it, do the following:

- Checkout the group CERTSRV_DCOM_ACCESS.

Make sure that Domain Users, Domain Computers AND (often missing) Domain Controllers are members of this group.

- Checkout the permissions on C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA and the sub folder MachineKeys.

Make sure that Administrators, Domain Administrators and SYSTEM all have full control over these folders and files.

- Let the server know that the DCOM security permissions have been altered.

Run this on the server that runs the certificate services for the domain:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG

- Restart the certificate services on the server that runs certificate services for the domain.

You can do this from the command line as:

net stop certsrv
net start certsrv

- Boot the offending DC(s).

Note that the DCs can take a LONG time to come back up and be fully operational, especially if autoenrollment was never working on the DC in question. On our systems, it took about 10 minutes before we could logon to the console and use the server.

Enquire now
Name: *
Tel: *
Email: *
Enquiry: *
Remote Support
Enter your 6-digit code:

We have purchased our equipment through ION Systems for over 5 years. During this time they have consistently saved us money and ensured that our PCs and servers...
Nick East, Operations Manager, The Telephone Answering Service