CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not working 4

CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not working 4
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
CERTSRV_DCOM_ACCESS Group missing - suggested KB fix not working 4 James Bullock 02-21-2007
Posted by =?Utf-8?B?SmFtZXMgQnVsbG9jaw== on February 21, 2007, 12:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Dear all,

Have just implemented a W2003 pki for our 3 domain forest, the issuing CA is
a w2003 enterprise box, not a dc but installed as part of one of the child
domains in the forest under an enterprise admins account.

pkiview tells me everything is fine, and domain controllers are
auto-enrolling just fine within the child domain hosting the CA, outside in
the other child domains they aren't but thats an issue with Cert Publishers
membership that i am confident i can resolve by changing the scope of the
groups.

The problem i have is referenced in http://support.microsoft.com/kb/927066
but the fix does not work in our situation. The fix i am referring to is to
run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
Which it is. Running this generates no errors, but does not create the
group....

I feel i should also mention that our root domain within the forest was
upgraded from w2000 to 2003, but due to an administrative oversight, the
schema was updated to R2 before sp1 was applied to the schema master. Not
sure if this is related.

Essentially i need to have the group so i can add the relevant groups so my
users are able to request certificates, at the moment only ent admins can,
everyone else receives the following message

The wizard cannot be started because of one or more of the following
conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available
CAs.
- The available CAs issue certificates for which you do not have permissions.


Any ideas? Any advice welcomed!

Best,

Jim Bullock



Posted by Paul Adare on February 21, 2007, 1:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
in the microsoft.public.security news group, =?Utf-8?B?

> The problem i have is referenced in http://support.microsoft.com/kb/927066
> but the fix does not work in our situation. The fix i am referring to is to
> run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
> CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
> Which it is. Running this generates no errors, but does not create the
> group....
>
>

Step 4 is confusing. If the group doesn't exist, the command
will not create the group for you. You'll need to follow the
verification procedures in the preceding steps and actually
perform the configuration rather than just verifying the listed
settings.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm,
has survived for centuries without smileys. Only the new crop of
modern computer geeks finds it impossible to detect a joke that
is not clearly labeled as such."
Ray Shea

Posted by =?Utf-8?B?SmFtZXMgQnVsbG9jaw== on February 21, 2007, 1:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
ah ok, so i create the group myself?

Thanks for the quick response paul, much appreciated.

"Paul Adare" wrote:

> in the microsoft.public.security news group, =?Utf-8?B?
>
> > The problem i have is referenced in http://support.microsoft.com/kb/927066
> > but the fix does not work in our situation. The fix i am referring to is to
> > run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
> > CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
> > Which it is. Running this generates no errors, but does not create the
> > group....
> >
> >
>
> Step 4 is confusing. If the group doesn't exist, the command
> will not create the group for you. You'll need to follow the
> verification procedures in the preceding steps and actually
> perform the configuration rather than just verifying the listed
> settings.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca
> "The English language, complete with irony, satire, and sarcasm,
> has survived for centuries without smileys. Only the new crop of
> modern computer geeks finds it impossible to detect a joke that
> is not clearly labeled as such."
> Ray Shea
>

Posted by =?Utf-8?B?SmFtZXMgQnVsbG9jaw== on February 21, 2007, 5:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


Oddly, all the things i'm reading with regards the problems i'm having
getting users to be able to enrol certificates - seem to be about people
having problems with auto-enrollment for DC's, which seems to work perfectly
first time in this infrastructure.

Given the first CA is in one of the child domains as opposed to the root
domain, could this be part of my issue - to do with the permissions anyhow?

Not sure of sensible next step, any pointers appreciated.

Cheers,

Jim
"James Bullock" wrote:

> Dear all,
>
> Have just implemented a W2003 pki for our 3 domain forest, the issuing CA is
> a w2003 enterprise box, not a dc but installed as part of one of the child
> domains in the forest under an enterprise admins account.
>
> pkiview tells me everything is fine, and domain controllers are
> auto-enrolling just fine within the child domain hosting the CA, outside in
> the other child domains they aren't but thats an issue with Cert Publishers
> membership that i am confident i can resolve by changing the scope of the
> groups.
>
> The problem i have is referenced in http://support.microsoft.com/kb/927066
> but the fix does not work in our situation. The fix i am referring to is to
> run certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG if the
> CERTSRV_DCOM_ACCESS group is missing from the users container in the ad.
> Which it is. Running this generates no errors, but does not create the
> group....
>
> I feel i should also mention that our root domain within the forest was
> upgraded from w2000 to 2003, but due to an administrative oversight, the
> schema was updated to R2 before sp1 was applied to the schema master. Not
> sure if this is related.
>
> Essentially i need to have the group so i can add the relevant groups so my
> users are able to request certificates, at the moment only ent admins can,
> everyone else receives the following message
>
> The wizard cannot be started because of one or more of the following
> conditions:
> - There are no trusted certification authorities (CAs) available.
> - You do not have the permissions to request certificates from the available
> CAs.
> - The available CAs issue certificates for which you do not have permissions.
>
>
> Any ideas? Any advice welcomed!
>
> Best,
>
> Jim Bullock
>
>

Similar ThreadsPosted
Group Policies not working October 12, 2005, 11:35 am
Power Users group and Administrators group November 4, 2005, 4:04 pm
security tab missing September 14, 2006, 11:43 pm
Information Bar Missing September 25, 2007, 1:06 pm
Im missing a security update, how can I get it? November 16, 2005, 6:27 pm
Folder Security tab missing June 17, 2006, 4:41 am
Permission is missing after 2-3 days April 25, 2007, 12:44 am
Missing Admin Shares July 19, 2007, 6:54 am
missing key/value in registry of w2k server - hot to track it? June 12, 2005, 10:19 pm
Missing Administrator Icon In Welcome Screen October 7, 2007, 4:53 am

The site map in XML format XML site map

Contact Us | Privacy Policy