Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions.Exchange Server 2019 Exchange Server 2016 More. Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions. Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Propertiestab. On the Component Services console, navigate to Component Services\Computers\My Computer. Check the DCOM Access Limit of “My Computer” of the DC:. 
Please verify that the Builtin\Users group includes the following member groups. 
Please ensure that “Authenticated Users” group is in the “Certificate Service DCOM Access” group. Therefore, I suggest that we do further checking on the CA server I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAINĬommand works fine on other machines - pointing to that very DC (the FSMO roleĪccording to the netmon files, I believe that it is a permission-related issue. sc_verify:domain run on this DC gives the following error: Services security settings as laid out in (WS.10).aspx - the last couple of containers - NTĬertificates Object and Domain Users and Computers weren't present, everything I figure it’s a rights issue - but not on a domain group as the subordinate CA "domain-server-CA" ICertRequest2 interface is aliveĬertUtil: -ping command completed successfully. Same command from a command prompt on the same computer run as domain admin: Server could not be reached: The RPC server is unavailable. ping -config "\domain-server-caĬonnecting to \domain-server-ca User cert that I this is issued successfully.Ĭan also be seen using the certutil tool, here is run as a standard user: That if I run certificates snapin with a Domain admin account and request a I have added a subordinate CA and that is issuingĬertificates from the same templates without any error. This CA has also issued certs in the past forĬomputers and webservers. To enroll a webserver cert (or a computer cert or user cert) gets the error The 
Certserv running on a DC that is not a GC holding the FSMO roles.
0 kommentar(er)
