Re: Access is denied 0x8007005 error when adding Certiciate Authority

• Previous message: Sartan Dragonbane: "Re: changed administrators name & pswrd. can't log in!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 Apr 2004 00:20:03 -0400

I just solved the error. The reason was that all Enterprise CAs must be
domain controllers, and the subordinate CA that I was trying to create was
only a member server. Upgrading it to a domain controller fixed the issue.

No thanks to those wonderfully descriptive Microsoft error messages.

Steve

"Steve309" <anonymous@discussions.microsoft.com> wrote in message
news:B313A2BC-B00D-400E-B2BD-C49F0514D39E@microsoft.com...
> Hello,
>
> I installed a root enterprise CA (I'll call it "bigdog") and then wanted
to install a subordinate enterprise CA in the same domain (I'll call the
domain "barks.org"). When I do, I get this error:
>
> "Cannot ping selected CA. Make sure the CA is running
> Access is denied. 0x80070005 (Win32: 5)"
>
> Also, I'm logged in as an Enterprise admin when installing the CA. I
opened the CA installation log (WINNT\certocm.log) and found this error:
>
> CA Certificate Request: 0x0(0)
> Select CA: bigdog.barks.org: BARKS root CA
> Get Server CA Name: bigdog.barks.org: Access is denied. 0x80070005
(WIN32: 5)
>
> It seems like its some sort of permissions error when my soon-to-be
subordinate CA (member server) attempts to access some active directory
information about the enterprise CA (domain controller).
>
> I attempted the fix in KB 281271 (single-level domain scenario) to no
avail. I also tried giving the everyone group enroll permissions on the
enterprise CA, and trusting the member server for delecation in ADUC.
>
> Also, I can ping my enterprise CA from the member server.
>
> BTW, the member server is running in a VMware virtual machine (bridged
NIC).
>
> Any ideas?
>
>

• Previous message: Sartan Dragonbane: "Re: changed administrators name & pswrd. can't log in!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: AD controller 2003 standard to enterpise ... Makes no difference if it is a DC or a member server. ... upgrade it to Enterprise. ... All other DCs are running 2003 enterprise. ... on a member server just want to make sure of the AD domain controller ... (microsoft.public.windows.server.general) Re: Certificate Template Creation ... on your Enterprise server, install Virtual Server, then build a VM running Enterprise to be your standalone, offline rootCA ... create your certificate template on the Enterprise CA ... Domain Controller certificate. ... (microsoft.public.windows.server.general) Re: How to determine Role on a installed CA? ... If you do you can be 100% sure you have Enterprise ... To see if it is subordinate or root, check your CA certificate... ... (microsoft.public.windows.server.networking) Re: W2K3 3-tier CA Implementation ... No matter what environment you are in, install a standalone ROOT CA. ... based on the standalone subordinate CA. ... I agree with issuing CAs being enterprise CAs. ... You do not use a certificate tempalte for the ... (microsoft.public.security) Re: Certificate Authority type ... documented infrastructure and precedures around that - one cannot trust PKI ... I installed> a enterprise root and enterprise subordinate in my lab and it does not show> the enterprise subordinate in S&S. ... (microsoft.public.security)