+ Post New Thread
Results 1 to 5 of 5
Windows Server 2008 R2 Thread, Problems with AD CS on 2008 r2 in Technical; We have installed a 2008 r2 server as CA in our domain, and are having problems issuing certificates to our ...
  1. #1
    sch
    sch is offline

    Join Date
    Oct 2009
    Location
    Norway
    Posts
    23
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    10

    Problems with AD CS on 2008 r2

    We have installed a 2008 r2 server as CA in our domain, and are having problems issuing certificates to our 2003 domain controllers.

    The root certificate is fine, everyone gets it. But the computer certificate for domain controllers is a whole other story.

    On our 2008 domain controllers, i can use the wizard when adding certificates in mmc, and request from there. Then the certificate for the DC is issued correctly, and placed correctly.

    But this option does not work on our 2003 domain controllers, i get the error:

    The wizard cannot be started because of one or more of the following reasons:
    - There are no trusted certification authorities (CAs) available.
    - You do not have the permissions to request certificates from the available CAs.
    - The available CAs issue certificates for wich you do not have permission.

    I have checked everything i can think of, and can't find anything wrong. Besides, would i not get the same error on our 2008 DCs if there wasn't any CAs available or there was something wrong with the permissions?

    If i use Web enrollment, it doesn't work at all, on both 2008 and 2003. I can create a certificate request, and select "domain controller" for the template. But the thing puts the certificate in the personal user store, not in the computer store. And the static information when looking at the details for the certificate is different than the certificate that was issued to a 2008 DC with the wizard. It's like the server issues different certificates through different templates, when all i'm using is the default template.

    Excuse me for sounding like a total newbie at this, but i am. I just got this task thrown at me, with the order to make it work, because no one else dared to touch our old CA who was failing. Only problem is that my level of skill in this particular field is more or less none

    Please ask if you are wondering about anything, and i'll try to provide as much information as possible. I am desperate to make this work!

  2. #2

    Join Date
    Jul 2007
    Location
    Nottingham
    Posts
    195
    Thank Post
    19
    Thanked 7 Times in 7 Posts
    Rep Power
    16
    Ok, firstly, as you say AD CS isn't something to be taken lightly and needs a good amount of planning to ensure that everything works as it should.

    In you case I'm going to guess that your CA doesn't currently have the certificates configured for use with 2003. This is because Windows Vista/2008 and later use a newer version of the certificate templates.

    You will need to go into your CA and either enable or configure a certificate template based on Version 2 for use with Windows Server 2003 and Windows XP. I've not got a CA I can connect to at the moment to give exact details on how to accomplish this but if you don't find it let me know and I'll dig out a guide for you.

  3. #3
    sch
    sch is offline

    Join Date
    Oct 2009
    Location
    Norway
    Posts
    23
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by dan400007 View Post
    Ok, firstly, as you say AD CS isn't something to be taken lightly and needs a good amount of planning to ensure that everything works as it should.

    In you case I'm going to guess that your CA doesn't currently have the certificates configured for use with 2003. This is because Windows Vista/2008 and later use a newer version of the certificate templates.

    You will need to go into your CA and either enable or configure a certificate template based on Version 2 for use with Windows Server 2003 and Windows XP. I've not got a CA I can connect to at the moment to give exact details on how to accomplish this but if you don't find it let me know and I'll dig out a guide for you.
    Thanks for the reply! After i posted my thread, i managed to google myself to the answer you gave here. Seems like it's only the DC template that doesn't work in 2003. A regular computer certificate from the CA installs just fine on 2003 and xp.

    If i choose manage on my templates folder i get a list of already ready templates to use. Is it not possible to create a new template from scratch? There is another DC template already there, wich is possible to edit. But i can't get it to show on the list of templates i'm able to issue, why is that?

  4. #4

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,734
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Just to throw another thing into the mix, I had the same issue a couple of weeks ago and it was a permissions issue.

    You need to make sure that the AD security group CERTSRV_DCOM_ACCESS has the following members: Domain users, Domain Computers, and Domain Controllers. The DC group is not always a member so won't hae permission to get the certificate.

  5. #5
    sch
    sch is offline

    Join Date
    Oct 2009
    Location
    Norway
    Posts
    23
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by sparkeh View Post
    Just to throw another thing into the mix, I had the same issue a couple of weeks ago and it was a permissions issue.

    You need to make sure that the AD security group CERTSRV_DCOM_ACCESS has the following members: Domain users, Domain Computers, and Domain Controllers. The DC group is not always a member so won't hae permission to get the certificate.
    Aye, i did check this, and the groups were missing. But i have added them.

SHARE:
+ Post New Thread

Similar Threads

  1. Problems with forward DNS-zone in server 2008.
    By sch in forum Windows Server 2008
    Replies: 2
    Last Post: 27th February 2010, 05:22 PM
  2. Server 2008 x64 printer management problems
    By stringfellow in forum Windows Server 2008
    Replies: 7
    Last Post: 10th December 2009, 08:02 AM
  3. Printing from XP/2003 to 2008 R2 Problems
    By willv28 in forum Windows Server 2008 R2
    Replies: 9
    Last Post: 12th November 2009, 05:56 AM
  4. Server 2008 remote desktop problems.
    By boomam in forum Windows Server 2008
    Replies: 7
    Last Post: 23rd March 2009, 09:38 AM
  5. Any Problems With Server 2008?
    By FN-GM in forum Windows Server 2008
    Replies: 20
    Last Post: 6th June 2008, 02:29 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •