Re: Complicated root CA issue..
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: Thu, 9 Jun 2005 10:40:45 -0500
Hmm. Not quite sure what is going on but what I would try is running the
support tool netdiag on both the CA you are refused access to and the server
you are refused access from. Netdiag will run a battery of tests that will
check among other things network connectivity, dns name resolution and
record registration, dc discovery, kerberos, and trust/secure channel. Dns
or trust/secure channel problems could be a possible cause. I would also run
dcdiag on the domain controller to check for pertinent problems including
dns and replication. You also may want to post in the
Microsoft.public.security.crypto newsgroup. --- Steve
"=pathfinder=" <firstname.lastname@example.org> wrote in message
>I tried using the utility as you mention and here are the responses i get
> from one of the 6 DC's I have. This is a DC I build that did receive a DC
> cert automatically.
> C:\Documents and Settings\path>certutil -ping -config myCA
> Connecting to myCA ...
> Server "myCA.domain.com" ICertRequest2 interface is alive
> CertUtil: -ping command completed successfully.
> C:\Documents and Settings\path>certutil -ping -config pcvw-udc
> Connecting to pcvw-udc ...
> Server could not be reached: Access is denied. 0x80070005 (WIN32: 5)
> CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5)
> CertUtil: Access is denied.
> Any more ideas?
> "Steven L Umbach" wrote:
>> I don't know offhand but suspect that the CA you were denied access to is
>> not configured to use that certificate template or the permissions for
>> template do not allow you to request a certificate for that server. You
>> could use the Certificate Authority Management Console to compare which
>> templates have been enabled on each CA and compare the permissions
>> configured. Otherwise verify that you have connectivity to the CA in
>> question from the domain controller that you are trying to obtain a
>> certificate by pinging it by IP address and fully qualified domain name
>> using the command " certutil -ping -config CAcomputername " to see if the
>> responds as shown in the example below for me doing such from an XP Pro
>> domain computer. The link below explains some CA troubleshooting
>> methods. --- Steve
>> D:\Documents and Settings\Steve>certutil -ping -config server1-2003
>> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
>> Connecting to server1-2003 ...
>> Server "CA3" ICertRequest2 interface is alive
>> CertUtil: -ping command completed successfully.
>> "=pathfinder=" <email@example.com> wrote in message
>> > Thanks Steven, that did the trick.
>> > one other thing: why is it that if i choose the advanced option and
>> > manually choose a different (subordinate) CA to give me the cert it
>> > fails
>> > complaining of "you do not have permission to do this or the CA is not
>> > running"? When i try the process again but choose the default options
>> > (uses
>> > the root CA) it all works?
>> > "Steven L Umbach" wrote:
>> >> Assuming everything is working correctly you could logon to the domain
>> >> controller as a domain admin and then use the mmc snapin for
>> >> certificates
>> >> for computer to request a domain controller certificate. Go to the
>> >> personal/certificates folder, right click, select all tasks - request
>> >> new
>> >> certificate and select domain controller certificate. --- Steve
>> >> "=pathfinder=" <firstname.lastname@example.org> wrote in message
>> >> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
>> >> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
>> >> > built
>> >> > the original 3 DC's. I have an enterprise Root CA, it has issued
>> >> > Domain
>> >> > Controller certs to the 3 DC's I built but I can't get Domain
>> >> > Controller
>> >> > certs to the original 3 DC's. I created an enrollment policy for
>> >> > the
>> >> > Domain
>> >> > Controller certs but only 1 of the original DC's picked that up.
>> >> >
>> >> > I really need to get Domain Controller certs on all my DC's as I am
>> >> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
>> >> > users.
>> >> > The
>> >> > PEAP works fine on a DC that has its cert will PEAP can't be
>> >> > configured
>> >> > on
>> >> > a
>> >> > DC with out the cert.
>> >> >
>> >> > Any ideas on what I can do to force a Domain Controller cert onto
>> >> > the 3
>> >> > original DC's?
>> >> > How do I request a Domain Controller cert manually?
>> >> >