Re: Complicated root CA issue..

From: =pathfinder= (pathfinder_at_discussions.microsoft.com)
Date: 06/08/05


Date: Wed, 8 Jun 2005 14:34:01 -0700

I tried using the utility as you mention and here are the responses i get
from one of the 6 DC's I have. This is a DC I build that did receive a DC
cert automatically.
_______________________________________________________________
C:\Documents and Settings\path>certutil -ping -config myCA
Connecting to myCA ...
Server "myCA.domain.com" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

C:\Documents and Settings\path>certutil -ping -config pcvw-udc
Connecting to pcvw-udc ...
Server could not be reached: Access is denied. 0x80070005 (WIN32: 5)

CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Any more ideas?

"Steven L Umbach" wrote:

> I don't know offhand but suspect that the CA you were denied access to is
> not configured to use that certificate template or the permissions for that
> template do not allow you to request a certificate for that server. You
> could use the Certificate Authority Management Console to compare which
> templates have been enabled on each CA and compare the permissions
> configured. Otherwise verify that you have connectivity to the CA in
> question from the domain controller that you are trying to obtain a
> certificate by pinging it by IP address and fully qualified domain name and
> using the command " certutil -ping -config CAcomputername " to see if the CA
> responds as shown in the example below for me doing such from an XP Pro
> domain computer. The link below explains some CA troubleshooting
> methods. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/03fc472d-4b66-41ee-97a5-5ae181beae2d.mspx
>
> D:\Documents and Settings\Steve>certutil -ping -config server1-2003
> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
> Connecting to server1-2003 ...
> Server "CA3" ICertRequest2 interface is alive
> CertUtil: -ping command completed successfully.
>
> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
> > Thanks Steven, that did the trick.
> > one other thing: why is it that if i choose the advanced option and
> > manually choose a different (subordinate) CA to give me the cert it fails
> > complaining of "you do not have permission to do this or the CA is not
> > running"? When i try the process again but choose the default options
> > (uses
> > the root CA) it all works?
> >
> > "Steven L Umbach" wrote:
> >
> >> Assuming everything is working correctly you could logon to the domain
> >> controller as a domain admin and then use the mmc snapin for certificates
> >> for computer to request a domain controller certificate. Go to the
> >> personal/certificates folder, right click, select all tasks - request new
> >> certificate and select domain controller certificate. --- Steve
> >>
> >>
> >> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> >> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
> >> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
> >> > built
> >> > the original 3 DC's. I have an enterprise Root CA, it has issued
> >> > Domain
> >> > Controller certs to the 3 DC's I built but I can't get Domain
> >> > Controller
> >> > certs to the original 3 DC's. I created an enrollment policy for the
> >> > Domain
> >> > Controller certs but only 1 of the original DC's picked that up.
> >> >
> >> > I really need to get Domain Controller certs on all my DC's as I am
> >> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
> >> > users.
> >> > The
> >> > PEAP works fine on a DC that has its cert will PEAP can't be configured
> >> > on
> >> > a
> >> > DC with out the cert.
> >> >
> >> > Any ideas on what I can do to force a Domain Controller cert onto the 3
> >> > original DC's?
> >> > How do I request a Domain Controller cert manually?
> >> >
> >>
> >>
> >>
>
>
>