Re: PKI - Issue Publishing to AD DS

You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name of your forest.
Then it should start working
Brian

"Orbital" <Orbital@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@xxxxxxxxxxxxxxxx
Hi All!!!

I'm currently implementing 2008 PKI using Brian Komar's excellent book, but
I've run into a few issues. These surfaced when trying to publish my root
and policy CA certs into my AD. On page 133, I'm running an amended piece of
code, with an exert below...
*********************
C:\PKI\USB>certutil -dspublish -f "Test Corporate Policy CA.crl"
ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
Services
,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
RLDistributionPoint?certificateRevocationList

ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'unavailableconfigdn'

CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
CertUtil: A referral was returned from the server.
*********************
Now, I see the problem here
'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The question
is, how do I fix it? I've had a scout around and found the following
http://www.derkeiler.com/Newsgroups/microsoft.public.windows.server.security/2008-08/msg00047.html

In this article, Brian speaks of an incorrect %%6 value in [presumably] the
root CA post install script. But I don't see how I would change this in this
file? And to what value?

Brian's fix, is to run the following command:

certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com

This is understood, [is the DC=root as it is above a fixed value, or is this
just an example of a possible domain name?] but would I then have to revoke
the currently issued cert, and then go through my setup on my policy box
again with the correct new ones?

I'm COMPLETELY new to PKI, so any help is greatly appreciated :)

Many thanks in advance,
Orb.

.

Relevant Pages

  • Re: Password Aging and System Accounts
    ... > have a policy where they don't age their root passwords? ... the Policy of password aging apply to the root account, ... Logins from the system console as root are ...
    (comp.unix.admin)
  • Re: Password Aging and System Accounts
    ... > have a policy where they don't age their root passwords? ... the Policy of password aging apply to the root account, ... Logins from the system console as root are ...
    (comp.security.unix)
  • Re: Unable to access \domainSYSVOL but able to access \serverSYSVO
    ... Long before you fix this issue, you'll need to fix the other issue. ... The permissions are correct on the GPOs. ... When I attempt to edit any GPO, including the Default Domain Policy, I get ... Configuration information could not be read from the domain controller, ...
    (microsoft.public.windows.server.active_directory)
  • Re: k3b permissions problems in SuSE9.2 pro
    ... >>1) CD record does not run with root privileges ... >>It says to run K3bSetup to fix the problems. ... that's not the first time these kinds of user permission ...
    (alt.os.linux.suse)
  • Re: GPO Limts
    ... The exception to these rules is block policy inheritance, ... The Computer section of a GPO is applied during boot-up. ... Computer OU (diffrent GP applied with same entrys) ... same entrys as both root and computer) ...
    (microsoft.public.windows.server.active_directory)
Loading