Fixed - W2003 DC cannot request Domain Controller cerificate from W2008 CA
hi,
i'm having frustration problem our domain controllers not being able request domain controller certificate our enterprise ca , wondering if can give me insite issue...
bit of background:
used have windows 2000 server (std ed) domain controller certificate services installed enterprise ca, hardware causing problems, decided try , migrate ca windows 2008 server (std ed).
followed instructions (http://support.microsoft.com/kb/889250) decommission old ca , demote dc before removing domain.
installed fresh copy of certificate services on our 2008 dc default configuration.
now, our 2008dc autoenrolled , obtained it's domain controller cerificate, w2000 dc (which need keep legacy terminal services support) autoenrolled , obtained domain controller certificate.
but, our other windows 2003 server (r2) std ed dcs refuse obtain certificate. i've tried brand new fresh install of w2003 (no service pack) , can't retrieve certificate.
error message certificates snap in (with requesting local machine) shows:
certificate request failed because of 1 of following conditions:
- certificate request submitted certificate authority (ca) not started.
- not have permissions request certificates available cas.
event log shows:
automatic certificate enrollment local system failed enroll 1 domain controller certificate (0x80070005). access denied.
when trying autoenrollment.
but, ca started, , dc in domain controllers ou , group, , appears have correct permissions.
dcom config on ca allows 'certificate service dcom access' group local access , remote access, local/remote launch, , local/remote activation.
also, terminal server (2000) able request computer certificate without issues.
there no trace of old dc within enterprise pki.
can shed light on issue?
i'm having frustration problem our domain controllers not being able request domain controller certificate our enterprise ca , wondering if can give me insite issue...
bit of background:
used have windows 2000 server (std ed) domain controller certificate services installed enterprise ca, hardware causing problems, decided try , migrate ca windows 2008 server (std ed).
followed instructions (http://support.microsoft.com/kb/889250) decommission old ca , demote dc before removing domain.
installed fresh copy of certificate services on our 2008 dc default configuration.
now, our 2008dc autoenrolled , obtained it's domain controller cerificate, w2000 dc (which need keep legacy terminal services support) autoenrolled , obtained domain controller certificate.
but, our other windows 2003 server (r2) std ed dcs refuse obtain certificate. i've tried brand new fresh install of w2003 (no service pack) , can't retrieve certificate.
error message certificates snap in (with requesting local machine) shows:
certificate request failed because of 1 of following conditions:
- certificate request submitted certificate authority (ca) not started.
- not have permissions request certificates available cas.
event log shows:
automatic certificate enrollment local system failed enroll 1 domain controller certificate (0x80070005). access denied.
when trying autoenrollment.
but, ca started, , dc in domain controllers ou , group, , appears have correct permissions.
dcom config on ca allows 'certificate service dcom access' group local access , remote access, local/remote launch, , local/remote activation.
also, terminal server (2000) able request computer certificate without issues.
there no trace of old dc within enterprise pki.
can shed light on issue?
problem resolved.
builtin/users group missing authenticated users.
Windows Server > Security
Comments
Post a Comment