Re: Microsoft PKI: problem with autoenrollment for domain controllers

Microsoft CAs are hard coded to request the Domain Controller certificate.
WIndows SErver 2003 introduced the Domain Controller AUthentication certificate template, which supercedes the Domain Controller.
My question for you is why you have decided to create your own template, rather than using the defaults?
Brian

"Grovnasch" <Grovnasch.Krabill@xxxxxxxxx> wrote in message news:1187095866.051441.16740@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello everybody,
I have the following problem on my AD-Domain (3 Domain Controllers
with MS-PKI):
all the domain controllers have recurrent errors in the Application
Event Viewer that say:
"Automatic Certificate Enrollment for local system could not find a
valid certificate templete to match DomainControlleras specified in
the group policy automatic enrollment object. Enrollment will not be
performed."
The "DomainController" template is the standard template, which I have
removed from the "Certificta templates to issue" container. Besides, I
have created a new personnalized DomainController template, called
MyDomainController, which is accepted by all the CDs, i.e. all the 3
of them have been issued a valid certificate. Nevertheless, all domain
controllers still ask for a "DomainController" Certificate, although
there is no entry at all in the Default Domain Controller Policy (-->
Computer Settings --> Windows Settings --> Security Settings -->
Public Key Policies --> Automatic Certificate Request Settings).
If I try to reintegrate the "DomainController" template on the CA to
--
Certificate Authority --> My CA --> Certificate Templates: New Cert
Template to issue, I get the following error: "The template
information on the CA cannot be modified at this time. This is most
likely because the CA service is not running or these are replication
delays. One or more certificate templates to be enables on this
certificate authority could not be found. The changes can be saved to
Active Directory and retrieved by the CA next time it is started. Do
you want to save the changes to Active Directory?".
Clicking "Yes" and restarting the CA does not solve the problem...
Did anyone have the same problem? Any ides?
Thanks in advance,


.

Relevant Pages

  • Re: Cannot request computer certificate.
    ... you are using Windows 2003 see if there is any info in failed requests. ... I would run the support tool netdiag on your domain controller [at least ... I need to request a computer certificate for VPN server. ...
    (microsoft.public.windows.server.security)
  • Issuing Domain Controller certificates manually
    ... this certificate template (as well as the Computer certificate ... generating a certificate request on the domain controller). ... If you use the web interface, you will notice that these two ...
    (microsoft.public.win2000.security)
  • Re: Event ID 13 - automatic certificate enrollment error
    ... I'm having problems understanding how to set permissions. ... MMC for the certificate authority I can see the certificate templates folder ... I can see the template Domain Controller. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event ID 13 - automatic certificate enrollment error
    ... add Domain Controllers to it and check enroll ... > MMC for the certificate authority I can see the certificate templates ... > folder and when I select it I can then see Domain Controller on the ... > manage I can see the template Domain Controller. ...
    (microsoft.public.windows.server.active_directory)
  • Autoenrollment Failure (0x80070005) - Additional help reqd.
    ... apply the fix recommended. ... One of the DCs is also a Certificate Server. ... >> has successfully obtained a 'Domain Controller' certificate. ...
    (microsoft.public.windows.server.active_directory)