Re: Enteprisesubordinate CA in parent:child domains

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/17/05 

Date: Wed, 16 Feb 2005 21:11:34 -0600

Are you sure that the CA you installed is an Enterprise CA?? Run the command
certutil -cainfo on your CA to see if it reports that it is an Enterprise CA
or not. --- Steve

"Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
message news:8B5DA704-E4B0-4941-8C49-CB222C5DBA97@microsoft.com...
> Hi Steven,
> well no luck:
> 1. I cannot request a certificate even from CA itself for itself - error
> is
> that there is no CA, or permissions
> 2. DNS works OK
> 3. I did not install Web Enrolment
> 4. CA is listed in Intermediate CA on CA itself but not on DC.....
> 5. Root CA certificate (offline) is listed in the triested Root CAs on all
> computers in the domain
>
> I am really lost. Ca was installed by Enterpise admin account into the
> child
> domain.
>
> Vladimir
>
> "Steven L Umbach" wrote:
>
>> Try to request a certificate from the Certificate Authority itself for
>> itself as a test and also try Web Enrollment. If dns is not configured
>> correctly in the domain, that can cause the error message you see. When
>> you
>> go to AD Users and Computers does the CA computer show as a member of the
>> Cert Publishers group and does it show in the trusted certificate store
>> for
>> any of the domain computers?? Can you open the Certificate Authority
>> Management Console on the CA, and when you go to AD Sites and services
>> and
>> look under public key services/certification authorities does it show
>> your
>> CA? Are there any errors in the application or system log on the
>> A? ---
>> Steve
>>
>> http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
>> --- Web Enrollment.
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
>> verify that your dns is correct in the domain.
>>
>> "Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
>> message news:2565EE78-4816-4A1A-AE66-50830DA4110C@microsoft.com...
>> > Hi Steven,
>> > I cannot request a certificate as it says there is no CA. However in
>> > SItes
>> > when I view Services I can see enrolnement CA is mine. However
>> > CertificateAuthority hive is missing in the tree.
>> > Any thoughts?
>> > Vladimir
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> When you install it to the child domain try to request a certificate
>> >> from
>> >> a
>> >> domain computer from the mmc snapin for user/computer certificate. Go
>> >> to
>> >> the
>> >> personal certificates folder, right click/all tasks - request
>> >> certificate
>> >> to
>> >> see if it works. If it does you are ready to go. While there check the
>> >> trusted root CA folder to see of your CA is there. I have never tried
>> >> it
>> >> that way as I install a CA in the forest root, but I would be
>> >> surprised
>> >> if
>> >> it does not work for you. --- Steve
>> >>
>> >>
>> >> "Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote
>> >> in
>> >> message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
>> >> > Hello,
>> >> > I have root domain AD and child CHILD, 2000 native mode. AD is
>> >> > really a
>> >> > root
>> >> > with no user and compuer objects while CHILD conatins all. I want to
>> >> > install
>> >> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able
>> >> > to
>> >> > issue
>> >> > computer certificates.
>> >> > questions I have so far:
>> >> > 1. what domain should I install CA into: AD or CHILD?
>> >> > So far I have install CA to CHILD and when I want to edit GPO in
>> >> > CHILD
>> >> > domain to do auto-enrolnment for computers I can see templates but
>> >> > no
>> >> > issuing
>> >> > CA. Same applies when I install it to AD domain.
>> >> >
>> >> > I have not been able to find these information anywhere but I assume
>> >> > CA
>> >> > should be installed in the domain for which certificates are issued
>> >> > as
>> >> > in
>> >> > 2000 mode Cer Publishers group is Global, i.e. not crossing domain
>> >> > boundaries.
>> >> >
>> >> > I would rather not implement steps as per KB 219059 and 281271.
>> >> >
>> >> > Any help is appreciated.
>> >> > Kind regards
>> >> >
>> >> > Vladimir Jirasek
>> >>
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • Re: 0x80070005 error on multiple computers
    ... Booted into safe mode and ran Windows Update. ... Ran Windows update again and was allowed to install the package installer ... Have you only recently become responsible for these computers, ... do clean install of WinXP... ...
    (microsoft.public.windowsupdate)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)
  • Re: winXP and win98 and pegasus mail
    ... Ive installed the app on the win98 machine and shared the relevant ... share the folder where Pegasus stores its ... Install Pegasus on the XP machine, and configure it to use the ... Install Pegasus on both computers. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Installing Legal Copy of XP Pro
    ... being Windows XP on all your computers, for your very own personal home ... Wayne please by all means install the WinXP on all your computers and ... Install on one machine and activate it. ...
    (microsoft.public.windowsxp.general)
  • Re: OS Future now that Fedora Legacy defunct
    ... The lack of long-term support will hurt Fedora. ... Why should one install the ... wife's computer or my development network 13 months even is way too short. ... it on dozens of computers as I am. ...
    (Fedora)