Andrew Moore's questions

When trying to request a new certificate for DomainControllerAuthentication from our DC designated as the CA, we keep receiving an access denied error.

The following events are generated in the event viewer:

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:32 PM
Event ID:      13
Task Category: None
Level:         Error
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA (Access is denied. 0x80070005 (WIN32: 5)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="49754">13</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:32.000000000Z" />
    <EventRecordID>5750</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="TemplateName">DomainControllerAuthentication</Data>
    <Data Name="RequestId">vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA</Data>
    <Data Name="CA">N/A</Data>
    <Data Name="ErrorCode">Access is denied. 0x80070005 (WIN32: 5)</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      64
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system successfully load policy from policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
   <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5749</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerID">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      65
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system is successfully authenticated by policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5748</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerURL">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

So far we have:

• Verified the DCOM Certificate Enrollment group members to ensure that the proper DCs and users are added to the group.
• Verified the permissions on the CA and on the templates to ensure that the user and the DC requesting the new certificate has proper permissions to create a new certificate based on the template.
• Ensured that no objects remains in the tree for the old lost DC who had the CA role

However these steps did not allow us to request new certificates...

Someone messed up majorly in setting permissions on an NTFS drive and I'm looking at a way to reset all permissions to default. The OS will be reinstalled but I'm trying to salvage data from their user directories.

None of the data is encrypted at an FS level.

Any recommendation on how to achieve that?