Re: Changing Global Group to Domain Local Group.

From: Rob McShinsky (List_at_mcshinsky.com)
Date: 01/07/05


Date: Fri, 7 Jan 2005 16:02:44 -0500

Yes I did. I am however still getting errors when my domain controllers try
to autoenroll DC certs. It is giving a privilege denied message. Listed
below.

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 1/6/2005
Time: 11:12:33 AM
User: N/A
Computer: ZDHT02
Description:
Certificate Services could not publish a Certificate for request 16 to the
following location on server dh325.dhmcmaster.dh.hitchcock.org:
CN=DH325,OU=Domain Controllers,DC=dhmcmaster,DC=dh,DC=hitchcock,DC=org.
Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344).
ldap: 0x32: 00002098: SecErr: DSID-031509EE, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uU0cbqN9EHA.1300@TK2MSFTNGP14.phx.gbl...
> Did you try the recommendation in KB281271?? It basically uses delegation,
> and dsacls to give parent domain CA permissions in the child domain? --
> Steve
>
> "Rob McShinsky" <List@mcshinsky.com> wrote in message
> news:eTTibvM9EHA.3320@TK2MSFTNGP10.phx.gbl...
>> Sorry for the lack of detail. Unable to change to any group type. All
>> options are greyed.
>>
>>
>> "Shiny Bob" <parris@newsguy.com> wrote in message
>> news:crlrpm02f4s@news3.newsguy.com...
>>> he cannot change it from global to local - no mention of universal .
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:e0DvyvG9EHA.2700@TK2MSFTNGP14.phx.gbl...
>>>> Except that he indicated he can not change it from global group. ---
>>>> Steve
>>>>
>>>>
>>>> "<Shiny Bob>" <parris@newsguy,com> wrote in message
>>>> news:crkl8102dfm@news3.newsguy.com...
>>>>> change it to universal come out of group
>>>>> go back into group and change it to a DL Group.
>>>>>
>>>>> Mark
>>>>>
>>>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>>>> news:OroWX1E9EHA.2600@TK2MSFTNGP09.phx.gbl...
>>>>>>I have never had to deal with that but see if the info in the link
>>>>>>below is helpful. --- Steve
>>>>>>
>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;281271
>>>>>>
>>>>>> "Rob McShinsky" <List@mcshinsky.com> wrote in message
>>>>>> news:uJbU7s$8EHA.1228@tk2msftngp13.phx.gbl...
>>>>>>> In my Windows 2000 domain (native mode), that is almost completly
>>>>>>> upgraded to Windows 2003 I want to change my Cert Publishers group
>>>>>>> from a Global Group to a Domain Local Group. If you install 2003
>>>>>>> from scratch and make it a domain controller this group is a Domain
>>>>>>> Local Group even if you are in Windows 2000 native mode. Currently
>>>>>>> the ability to switch this group is greyed out.
>>>>>>>
>>>>>>> The reasoning behind this is we are building a 2-tiered Certificate
>>>>>>> Authority structure with the Issuing Certificate Authority in the
>>>>>>> Root domain. All users and computer objects are in the child
>>>>>>> domain. So unless I can put the CA computer object that is in the
>>>>>>> root domain in the Child domain Cert Publishers group, the
>>>>>>> certificates issued to users in the child domain do not work. If
>>>>>>> the Cert publishers group is a Domain Local group I can easily see
>>>>>>> the CA server in the Root Domain and can add it correctly.
>>>>>>>
>>>>>>> Does anyone have any experience with 2-tiered CA's within a 2-tiered
>>>>>>> forest?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Rob McShinsky
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>



Relevant Pages

  • Re: Changing Global Group to Domain Local Group.
    ... to autoenroll DC certs. ... It is giving a privilege denied message. ... Event Type: Warning ... Certificate Services could not publish a Certificate for request 16 to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing Global Group to Domain Local Group.
    ... to autoenroll DC certs. ... It is giving a privilege denied message. ... Event Type: Warning ... Certificate Services could not publish a Certificate for request 16 to the ...
    (microsoft.public.windows.server.general)
  • changing from workgroup to domain
    ... My computer running Win2K server had certificate services ... Now recently the admin added a new Windows 2003 Domain Server and I have ... I will be needing to issue new certs too. ... both IIS cert and end-user client certs. ...
    (microsoft.public.win2000.security)
  • changing from workgroup to domain
    ... My computer running Win2K server had certificate services ... Now recently the admin added a new Windows 2003 Domain Server and I have ... I will be needing to issue new certs too. ... both IIS cert and end-user client certs. ...
    (microsoft.public.win2000.general)
  • changing from workgroup to domain
    ... My computer running Win2K server had certificate services ... Now recently the admin added a new Windows 2003 Domain Server and I have ... I will be needing to issue new certs too. ... both IIS cert and end-user client certs. ...
    (microsoft.public.win2000.setup_upgrade)