Re: Enteprisesubordinate CA in parent:child domains

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/17/05 

Date: Wed, 16 Feb 2005 21:11:34 -0600

Are you sure that the CA you installed is an Enterprise CA?? Run the command
certutil -cainfo on your CA to see if it reports that it is an Enterprise CA
or not. --- Steve

"Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
message news:8B5DA704-E4B0-4941-8C49-CB222C5DBA97@microsoft.com...
> Hi Steven,
> well no luck:
> 1. I cannot request a certificate even from CA itself for itself - error
> is
> that there is no CA, or permissions
> 2. DNS works OK
> 3. I did not install Web Enrolment
> 4. CA is listed in Intermediate CA on CA itself but not on DC.....
> 5. Root CA certificate (offline) is listed in the triested Root CAs on all
> computers in the domain
>
> I am really lost. Ca was installed by Enterpise admin account into the
> child
> domain.
>
> Vladimir
>
> "Steven L Umbach" wrote:
>
>> Try to request a certificate from the Certificate Authority itself for
>> itself as a test and also try Web Enrollment. If dns is not configured
>> correctly in the domain, that can cause the error message you see. When
>> you
>> go to AD Users and Computers does the CA computer show as a member of the
>> Cert Publishers group and does it show in the trusted certificate store
>> for
>> any of the domain computers?? Can you open the Certificate Authority
>> Management Console on the CA, and when you go to AD Sites and services
>> and
>> look under public key services/certification authorities does it show
>> your
>> CA? Are there any errors in the application or system log on the
>> A? ---
>> Steve
>>
>> http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
>> --- Web Enrollment.
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 ---
>> verify that your dns is correct in the domain.
>>
>> "Vladimir Jirasek" <VladimirJirasek@discussions.microsoft.com> wrote in
>> message news:2565EE78-4816-4A1A-AE66-50830DA4110C@microsoft.com...
>> > Hi Steven,
>> > I cannot request a certificate as it says there is no CA. However in
>> > SItes
>> > when I view Services I can see enrolnement CA is mine. However
>> > CertificateAuthority hive is missing in the tree.
>> > Any thoughts?
>> > Vladimir
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> When you install it to the child domain try to request a certificate
>> >> from
>> >> a
>> >> domain computer from the mmc snapin for user/computer certificate. Go
>> >> to
>> >> the
>> >> personal certificates folder, right click/all tasks - request
>> >> certificate
>> >> to
>> >> see if it works. If it does you are ready to go. While there check the
>> >> trusted root CA folder to see of your CA is there. I have never tried
>> >> it
>> >> that way as I install a CA in the forest root, but I would be
>> >> surprised
>> >> if
>> >> it does not work for you. --- Steve
>> >>
>> >>
>> >> "Vladimir Jirasek" <Vladimir Jirasek@discussions.microsoft.com> wrote
>> >> in
>> >> message news:5174FBF5-73A6-40C9-B72F-4C428372215F@microsoft.com...
>> >> > Hello,
>> >> > I have root domain AD and child CHILD, 2000 native mode. AD is
>> >> > really a
>> >> > root
>> >> > with no user and compuer objects while CHILD conatins all. I want to
>> >> > install
>> >> > Enteprise Subordinate CA (Root is offline 3rd party CA) to be able
>> >> > to
>> >> > issue
>> >> > computer certificates.
>> >> > questions I have so far:
>> >> > 1. what domain should I install CA into: AD or CHILD?
>> >> > So far I have install CA to CHILD and when I want to edit GPO in
>> >> > CHILD
>> >> > domain to do auto-enrolnment for computers I can see templates but
>> >> > no
>> >> > issuing
>> >> > CA. Same applies when I install it to AD domain.
>> >> >
>> >> > I have not been able to find these information anywhere but I assume
>> >> > CA
>> >> > should be installed in the domain for which certificates are issued
>> >> > as
>> >> > in
>> >> > 2000 mode Cer Publishers group is Global, i.e. not crossing domain
>> >> > boundaries.
>> >> >
>> >> > I would rather not implement steps as per KB 219059 and 281271.
>> >> >
>> >> > Any help is appreciated.
>> >> > Kind regards
>> >> >
>> >> > Vladimir Jirasek
>> >>
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • Re: winXP and win98 and pegasus mail
    ... Ive installed the app on the win98 machine and shared the relevant ... share the folder where Pegasus stores its ... Install Pegasus on the XP machine, and configure it to use the ... Install Pegasus on both computers. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Installing Legal Copy of XP Pro
    ... being Windows XP on all your computers, for your very own personal home ... Wayne please by all means install the WinXP on all your computers and ... Install on one machine and activate it. ...
    (microsoft.public.windowsxp.general)
  • Re: OS Future now that Fedora Legacy defunct
    ... The lack of long-term support will hurt Fedora. ... Why should one install the ... wife's computer or my development network 13 months even is way too short. ... it on dozens of computers as I am. ...
    (Fedora)
  • Re: Getting an error message nearly every time!
    ... I thought Spybot had it fixed but it seem that ... and the instruction usually given is to 'install anyway'. ... >>> of a spyware writer to stop computers working, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: ATTN an MVP that is against the MS EUA
    ... > Since the average user can't install XP, I can't see this as any ... I didn't include price in the idea at all - one should not pirate ... > That would drive the cost of the product even higher, ... >> Most families don't have more than three computers. ...
    (microsoft.public.windowsxp.general)