Windows Vista Tips
Home Register Members Search Windows Vista Tips File Database Links
Member Login:

Windows Vista Tips > Newsgroups > Windows Server > Server Security > W2K3 DC cannot request Domain Controller cerificate from W2K8 CA

Reply
Thread Tools Display Modes

W2K3 DC cannot request Domain Controller cerificate from W2K8 CA

 
 
Paul Kissick
Guest
Posts: n/a

 
      02-22-2010
Hi,

I'm having a very frustration problem with our domain controllers not being
able to request a Domain Controller certificate from our Enterprise CA and am
wondering if anyone can give me some insite into the issue...

Bit of background:

We used to have a Windows 2000 Server (Std Ed) Domain Controller with
Certificate Services installed as an Enterprise CA, but the hardware was
causing us problems, so we decided to try and migrate the CA to a Windows
2008 Server (Std Ed).

I followed the instructions (http://support.microsoft.com/kb/889250) to
decommission the old CA and demote the DC before removing from the domain.

I then installed a fresh copy of Certificate Services on our 2008 DC with
the default configuration.

Now, our 2008DC successfully autoenrolled and obtained it's Domain
Controller cerificate, another W2000 DC (which we need to keep for legacy
Terminal Services support) also successfully autoenrolled and obtained a
Domain Controller certificate.

But, our other Windows 2003 Server (R2) Std Ed DCs refuse to obtain a
certificate. I've even tried a brand new fresh install of W2003 (no Service
Pack) and it also can't retrieve a certificate.

The error message with the Certificates snap in (with requesting from Local
Machine) shows:

The certificate request failed because of one of the following conditions:
- The certificate request was submitted to a Certificate Authority (CA)
that is not started.
- You do not have the permissions to request certificates from the
available CAs.

The event log shows:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.

when trying AutoEnrollment.

But, the CA is started, and the DC is in the Domain Controllers OU and
Group, and appears to have the correct permissions.

The DCOM config on the CA allows 'Certificate Service DCOM Access' group
Local Access and Remote Access, as well as Local/Remote Launch, and
Local/Remote Activation.

Also, the Terminal Server (2000) is able to request a Computer certificate
without any issues.

There is no trace of the old DC within the Enterprise PKI.

Can anyone help shed some light on the issue?

Many thanks, Paul Kissick
 
Reply With Quote
 
 
 
Reply

« Regarding Server 2008R2 password Reset | Hyper-V security »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Critical Issue Broken delegated domain Kashif Windows Server 3 02-15-2010 09:12 PM
Re: DC with "Windows cannot obtain the domain controller name for your computer network" Danny Sanders Active Directory 0 01-21-2010 02:26 PM
Unable to add computer to domain Nik Active Directory 5 12-18-2009 08:29 PM
The local domain controller could not connect with - 2008 boe Active Directory 9 11-22-2009 01:05 AM
Slow Vista startup Jedi940 Windows Vista Performance 1 01-13-2008 08:50 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Windows Vista Tips - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59