Hi, I'm having a very frustration problem with our domain controllers not being able to request a Domain Controller certificate from our Enterprise CA and am wondering if anyone can give me some insite into the issue... Bit of background: We used to have a Windows 2000 Server (Std Ed) Domain Controller with Certificate Services installed as an Enterprise CA, but the hardware was causing us problems, so we decided to try and migrate the CA to a Windows 2008 Server (Std Ed). I followed the instructions (http://support.microsoft.com/kb/889250) to decommission the old CA and demote the DC before removing from the domain. I then installed a fresh copy of Certificate Services on our 2008 DC with the default configuration. Now, our 2008DC successfully autoenrolled and obtained it's Domain Controller cerificate, another W2000 DC (which we need to keep for legacy Terminal Services support) also successfully autoenrolled and obtained a Domain Controller certificate. But, our other Windows 2003 Server (R2) Std Ed DCs refuse to obtain a certificate. I've even tried a brand new fresh install of W2003 (no Service Pack) and it also can't retrieve a certificate. The error message with the Certificates snap in (with requesting from Local Machine) shows: The certificate request failed because of one of the following conditions: - The certificate request was submitted to a Certificate Authority (CA) that is not started. - You do not have the permissions to request certificates from the available CAs. The event log shows: Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied. when trying AutoEnrollment. But, the CA is started, and the DC is in the Domain Controllers OU and Group, and appears to have the correct permissions. The DCOM config on the CA allows 'Certificate Service DCOM Access' group Local Access and Remote Access, as well as Local/Remote Launch, and Local/Remote Activation. Also, the Terminal Server (2000) is able to request a Computer certificate without any issues. There is no trace of the old DC within the Enterprise PKI. Can anyone help shed some light on the issue?

Problem resolved. Builtin/Users group was missing Authenticated Users.