CA resolution

Turns out there are some bugs in the CA install.

Our environment:
  • Empty root domain
  • Domains all initally installed as 2000-Server
  • All Domain Controllers now 2003 Server SP1
It turns out that when you install the CA into such an environment, it creates a new group, but does not add the CA server to it. This is what happened to us. The group is CERTSVC_DCOM_ACCESS in the Users container. Adding the "Domain Controllers" group to that particular group allows auto-enrolment to work for that domain. I'm still getting the child domain, where the rest of us are, up and running but at least its working to spec right now.

This is actually documented in the SP1 release notes:

Note that if the certification authority is installed on a domain controller, and the enterprise is made up of more than one domain, Certificate Services cannot automatically update the DCOM security settings for enrollees from outside the certification authority’s domain. Therefore, these enrollees will be denied enroll access to the certification authority.

To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can add only domain groups to it. For example, if users and computers from another domain, a domain named Contoso, have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.
Which says so right there. But SP1 hasn't been out long enough for any KB articles to be out on this subject.