ORF反垃圾邮件系统

邮件服务器-邮件系统-邮件技术论坛(BBS)

 找回密码
 会员注册
查看: 10432|回复: 7
打印 上一主题 下一主题

[求助] 域控制器 日志出现错误

[复制链接]
跳转到指定楼层
顶楼
发表于 2007-12-10 10:05:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
大家好,小弟问个问题:
昨天发现我们这里不能上网了(我们这里是通过域控制器dns转发),到域控制器检查的时候发现 日志出现了一下错误:希望大家多多帮助.谢谢了

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?会员注册

x
沙发
发表于 2007-12-10 16:14:13 | 只看该作者
首选确定一下是否可以打开域的组策略
打开会提示什么错误。
藤椅
发表于 2007-12-10 17:24:09 | 只看该作者
可以打开组策略的,我的也是出现错误13啊,该如何解决啊??请版主帮忙啊

[ 本帖最后由 paganism 于 2007-12-10 17:33 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?会员注册

x
板凳
发表于 2007-12-11 15:03:51 | 只看该作者
DNS解析正常嗎。其實AD架好了。沒有什麼問題的啊。
报纸
发表于 2007-12-11 17:21:16 | 只看该作者
windows 2003 事件ID:13的解决方法
By  安然 发表于 2007-11-19 16:33:00

刚安装好一台服务器作为额外域控制器.居然就出现了AutoEnrollment错误.
原来这个错误与Windows Server 2003 Service SP1对DCOM 协议引入的增强安全设置有关.

详细的错误信息是:
日期:2007-X-XX
来源:AutoEnrollment
时间:12:59:54
类别:无
类型:错误
事件ID:13
用户:N/A
计算机略)
描述:本地系统 的自动证书注册在注册一个 域控制器 证书 (0x80070005)时失败。拒绝访问。

上网查找了一下.最后在微软找到了相应的内容.
原来windows 2003安装了SP1后,对DCOM 协议使用了增强的安全设置,并作了一些调整,而证书服务是使用DCOM 协议的,所以出现了上述错误.

    事实上,微软在SP1后,对windows 2003的DCOM安全设置作了如下改变:
    (以下内容直接来自微软文档)
    Windows Server 2003 certificate services uses the DCOM protocol to provide enrollment and administration services. Certificate services provides several DCOM interfaces to make enrollment and administration services available. For correct access and usage of these services, certificate services assumes that the DCOM interfaces are set to enable remote activation and access permissions. However, because default security settings for DCOM are applied when you upgrade to Windows Server 2003 SP1, you may have to update these security settings to make sure that enrollment and administration services are available.

    By default, all DCOM interfaces in Windows Server 2003 SP1 are configured to grant remote access permissions, remote launch permissions, and remote activation permissions to administrators. However, when you upgrade to Windows Server 2003 SP1, security configuration changes are made to the global DCOM interface and to the CertSrv Request DCOM interface. These changes are made to enable certificate services to work correctly.

    Note Any changes that have been made to the CertSrv Request DCOM interface security settings before you install Windows Server 2003 SP1 are lost. Windows Server 2003 SP1 Setup resets all previous security settings in the CertSrv Request DCOM interface to their default settings.

    During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM security settings as follows: CertSrv Request DCOM interface? The Everyone security group is granted local and remote access permissions.
    ? The Everyone security group is granted local and remote activation permissions.
    ? The Everyone security group is not granted local or remote launch permissions.

    ? DCOM computer restriction settings? A new security group, CERTSVC_DCOM_ACCESS, is automatically created.

    If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.

    If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.
    ? The CERTSVC_DCOM_ACCESS security group is granted local and remote access permissions.
    ? The CERTSVC_DCOM_ACCESS security group is granted local and remote activation permissions.
    ? The CERTSVC_DCOM_ACCESS security group is not granted local or remote launch permissions.

    Note:If the certification authority is installed on a domain controller and if the enterprise consists of more than one domain, certificate services cannot automatically update the DCOM security settings for enrollees from outside the certification authority's domain. Therefore, these enrollees will be denied enrollment access to the certification authority.

    To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can add only domain groups to it. For example, if users and computers from another domain, the Contoso domain, have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.

    If any enrollees that should be authorized by the certification authority are denied authorization after Windows Server 2003 SP1 is installed, you can have certificate services update the DCOM security settings again. To do this, type the following commands at the command prompt, and then press ENTER after each command.

    certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc
    DCOM_SECURITY_UPDATED_FLAG is an internal certificate services registry flag that indicates that the DCOM security settings were successfully updated. Certificate services checks this flag every time that certificate services is started. The previous commands reset the flag and then stop and start certificate services. This behavior causes certificate services to update the DCOM security settings again.


    读懂了上面的内容就知道了解决方法:
    1.打开域控制器的Active Directory用户和计算机.展开Users,找到CERTSVC_DCOM_ACCESS .
    2.手动将Domain Users 组和Domain Computers组添加到 CERTSVC_DCOM_ACCESS 安全组.(如果存在就不用添加啦).
    如果是域控制器上发生這些错误,请將Domain Controllers 组加入CERTSVC_DCOM_ACCESS组.因为域控制器不是Domain Computers通用组的成員,沒有足夠的 DCOM 权限.
    最终应该如下图所示:

    3.重启域控制器.(或重启DCOM服务)
    参考文档:
    (中文KB的也有,不过中文的机器翻译实在不敢恭维,还不如直接看英文好懂一点).

    Release notes for Windows Server 2003 Service Pack 1.

    Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
    Tags:
地板
 楼主| 发表于 2007-12-12 18:30:52 | 只看该作者
谢谢各位的回复
gpedit.msc可以打开
51cto论坛上有个热心人告诉了我一个方法,现在没有再出现错误.方法和大家共享下:
请你试试以下方法:
1.单击“开始”,单击“运行”,键入 gpedit.msc,然后按 Enter 键。
2. 在左窗格中,展开“计算机配置”,展开“Windows 设置”,展开“安全设置”,然后展开“公钥策略”。
3. 双击“自动注册设置”。
4. 单击“不要自动注册证书”。
5. 单击“确定”。
6. 重复第 2 到第 5 步,但是在第 2 步中,展开“用户配置”,展开“Windows 设置”,展开“安全设置”,然后展开“公钥策略”。
7. 关闭“组策略”窗口
另外你检查一下你的TCP/IP属性里面的首选DNS是不是设置正确的DNS服务器
7
发表于 2007-12-14 10:01:21 | 只看该作者
6楼的,你的这个步骤是在DC上么?如果问题的是由win 2003的sp1引起的话,最好还是通过组策略进行部署吧.
8
发表于 2009-10-19 09:57:19 | 只看该作者
事件类型: 错误
事件来源: AutoEnrollment
事件种类: 无
事件 ID: 13
日期:  2009-10-19
事件:  5:06:34
用户:  N/A
计算机: MAILSRV2
描述:
本地系统 的自动证书注册在注册一个 域控制器 证书 (0x80070057)时失败。参数不正确。

有关更多信息,请参阅在 http://go.microsoft.com/fwlink/events.asp 的帮助和支持中心。


事件类型: 错误
事件来源: AutoEnrollment
事件种类: 无
事件 ID: 16
日期:  2009-10-19
事件:  5:06:34
用户:  N/A
计算机: MAILSRV2
描述:
本地系统 的自动证书注册更新一个 域控制器 证书失败 (0x80070057)。参数不正确。

有关更多信息,请参阅在 http://go.microsoft.com/fwlink/events.asp 的帮助和支持中心。



看看我的这个,报参数不正确,不知道是不是同一个原因
您需要登录后才可以回帖 登录 | 会员注册

本版积分规则

小黑屋|手机版|Archiver|邮件技术资讯网

GMT+8, 2024-12-23 06:24

Powered by Discuz! X3.2

© 2001-2016 Comsenz Inc.

本论坛为非盈利中立机构,所有言论属发表者个人意见,不代表本论坛立场。内容所涉及版权和法律相关事宜请参考各自所有者的条款。
如认定侵犯了您权利,请联系我们。本论坛原创内容请联系后再行转载并务必保留我站信息。此声明修改不另行通知,保留最终解释权。
*本论坛会员专属QQ群:邮件技术资讯网会员QQ群
*本论坛会员备用QQ群:邮件技术资讯网备用群

快速回复 返回顶部 返回列表