Re: Access is denied 0x8007005 error when adding Certiciate Authority

From: Steve309 (sorry_at_nospam.net)
Date: 04/24/04

  • Next message: Andrew Mitchell: "Re: PASSWORDS-PLEASE HELP !!" 
    Date: Sat, 24 Apr 2004 00:20:03 -0400

    I just solved the error. The reason was that all Enterprise CAs must be
    domain controllers, and the subordinate CA that I was trying to create was
    only a member server. Upgrading it to a domain controller fixed the issue.

    No thanks to those wonderfully descriptive Microsoft error messages.

    Steve

    "Steve309" <anonymous@discussions.microsoft.com> wrote in message
    news:B313A2BC-B00D-400E-B2BD-C49F0514D39E@microsoft.com...
    > Hello,
    >
    > I installed a root enterprise CA (I'll call it "bigdog") and then wanted
    to install a subordinate enterprise CA in the same domain (I'll call the
    domain "barks.org"). When I do, I get this error:
    >
    > "Cannot ping selected CA. Make sure the CA is running
    > Access is denied. 0x80070005 (Win32: 5)"
    >
    > Also, I'm logged in as an Enterprise admin when installing the CA. I
    opened the CA installation log (WINNT\certocm.log) and found this error:
    >
    > CA Certificate Request: 0x0(0)
    > Select CA: bigdog.barks.org: BARKS root CA
    > Get Server CA Name: bigdog.barks.org: Access is denied. 0x80070005
    (WIN32: 5)
    >
    > It seems like its some sort of permissions error when my soon-to-be
    subordinate CA (member server) attempts to access some active directory
    information about the enterprise CA (domain controller).
    >
    > I attempted the fix in KB 281271 (single-level domain scenario) to no
    avail. I also tried giving the everyone group enroll permissions on the
    enterprise CA, and trusting the member server for delecation in ADUC.
    >
    > Also, I can ping my enterprise CA from the member server.
    >
    > BTW, the member server is running in a VMware virtual machine (bridged
    NIC).
    >
    > Any ideas?
    >
    >

  • Next message: Andrew Mitchell: "Re: PASSWORDS-PLEASE HELP !!"

    Relevant Pages

    • Re: AD controller 2003 standard to enterpise
      ... Makes no difference if it is a DC or a member server. ... upgrade it to Enterprise. ... All other DCs are running 2003 enterprise. ... on a member server just want to make sure of the AD domain controller ...
      (microsoft.public.windows.server.general)
    • Re: Certificate Template Creation
      ... on your Enterprise server, install Virtual Server, then build a VM running Enterprise to be your standalone, offline rootCA ... create your certificate template on the Enterprise CA ... Domain Controller certificate. ...
      (microsoft.public.windows.server.general)
    • Re: How to determine Role on a installed CA?
      ... If you do you can be 100% sure you have Enterprise ... To see if it is subordinate or root, check your CA certificate... ...
      (microsoft.public.windows.server.networking)
    • Re: W2K3 3-tier CA Implementation
      ... No matter what environment you are in, install a standalone ROOT CA. ... based on the standalone subordinate CA. ... I agree with issuing CAs being enterprise CAs. ... You do not use a certificate tempalte for the ...
      (microsoft.public.security)
    • Re: Certificate Authority type
      ... documented infrastructure and precedures around that - one cannot trust PKI ... I installed> a enterprise root and enterprise subordinate in my lab and it does not show> the enterprise subordinate in S&S. ...
      (microsoft.public.security)