CA configuration to publish certs in AD



My Enterprise Root CA can't publish certificates to AD which are issued
for users in the child domain. I receive the following warning in the
event log:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 02.10.2006
Time: 13:18:16
User: N/A
Computer: RootDomainDC
Description:
Certificate Services could not publish a Certificate for request 66 to
the following location on server ChildDomainDC: ChildDomainUser.
Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344). ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

The Enterprise Root CA is located on the DC in the root domain. I found
the following KB Article:
"Certification Authority configuration to publish certificates in Active
Directory of trusted domain" [Q281271]

In step number five - Delegate Control - on the child domain controller,
they describe how to add the "Cert Publishers" group from the parent
domain. But I can't add (find) this group, because the scope is set to
"domain local"!? I changed the scope to "universal" by using "dsmod" and completed step number five and six as described. However, the warning does still appear!

I'm also confused on step number 3. I have only the windows default exit module with the property "allow certificates to be published to the *file system*" and nothing like "...published in the *Active Directory*" as described in the KB article.

Thanks in advance
Patrik



.



Relevant Pages

  • Re: CA configs.
    ... A stand alone does not integrate with Active ... > refer to the Microsoft Press 70-220 exam guide and do a search at ... >> ie can a stnd.alone be a childof an enterprise root? ... >> certificates to them because if it was just that you needed an SSL ...
    (microsoft.public.win2000.security)
  • Re: Enterprise Root CA change
    ... >I am running a Win2k enterprise root CA without subordinates CAs with a few> certificates issued. ... I would like to setup a new Win2k3 enterprise root> CA ... > in the same Win2k3 Active directory domain. ...
    (microsoft.public.windows.server.security)
  • How to install a new Enterprise Root Certificate Authority to replace an old one?
    ... Server 2003 DC with a different name. ... Less than 50 clients. ... Install a new Enterprise Root CA on the new DC. ... Re-create the certificates and use the new ones for signing the files, ...
    (microsoft.public.windows.server.security)
  • Re: Enterprise Root CA
    ... > Certificate services would show as an installed service on any CA and if ... > look in the mmc certificates snapin for computer certificates you will ... > it is an Enterprise root CA. ...
    (microsoft.public.windows.server.security)
  • Re: Accessing obsolete X509Anchors
    ... warning from the console and quite living in the past. ... It's something Apple did to warn developers that the method they use to ... Apple made the change from storing the certificates in the X509Anchors ... login keychain will still be around for quite a few updates of the ...
    (microsoft.public.mac.office.entourage)