Re: Windows 2003 - Child domain cannot request certificate from root domain

It sounds like you have replication problems (have you properly defined sites and subnets?)
Brian

"JulioHM" <juliohm@xxxxxxxxx> wrote in message news:250f5491-a960-49e7-a861-9aa345c183f4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

Thanks for the response. Eventually we got it working. We tried all
kinds of permissios (your tip included)... and at the end of the day
we found out that AD had not replicated permissions throughout the
forest. Even though we completely shutdown and restarted ALL machines
and domain controllers in the lab (several times), we had to force
replication by using mmc snap-in "Active Directory Sites and
Services".

Browse to "Sites > Default-First-Site-Name > Servers > YOUR_ROOT_DC >
NTDS Settings"

Under that, you'll find your child domain controllers. Right click on
each one and select "Replicate Now".

This got it all working. Now we know... all you need is the right
permissions on the certificate template you want to use. Even though
we changed permissions on the template, AD was taking much longer to
replicate these settings throughout the forest (apparently this may
take several hours).

Thanks a lot!
Julio

On Jan 13, 6:49 am, "Brian Komar" <brian.ko...@xxxxxxxxxxxxxxxxx>
wrote:
The main thing is that you have to modify the permissions on the certificate
templates you wish to issue.
By default, permissions assume a single domain forest.
You must change the permissions to allow users and computers from a child
domain to request certificates from the CA>
- The certificate templates are edited using the Certificate Templates
console (certtmpl.msc)
- By default, only Enterprise Admins and forest root Domain Admins have the
permissions to edit the certificate templates.
- The certificate templates are stored in the Configuration naming context
and replicated to all DCs in the forest (requiring the use of either global
groups or universal groups for the permission assignments.

You can use of of two permission strategies.
1) Create a custom global group in each domain to represent the target users
or target computers for the certificate template. Add both groups (based on
the fact that you state you have a root domain and a child domain), and
assign each group Read and Enroll permissions.
2) Create a custom global group in each domain to represent the target users
or target computers for the certificate template. Add each global group to a
custom universal group and assign the universal group Read and Enroll
permission for the certificate template.

Brian

"JulioHM" <juli...@xxxxxxxxx> wrote in message

news:c608d1e5-9e29-45ef-b721-d981f9b89963@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

> Hi,

> We have a forest setup (all servers are win2003) where we have one
> root domain controller (actresses.net) and one child domain
> (hot.actresses.net) controller.

> Root domain has an Enterprise CA installed, and we are trying to allow
> computers in the child domain to request certificates from the root
> domain. We keep getting the same error message, no matter what we try.

> After following the Certificate Request Wizard in the MMC Certificate
> snap-in, the following error message appears.

> ---------------------------
> Certificate Request Wizard
> ---------------------------
> The certificate request failed because of one of the following
> conditions:
> - The certificate request was submitted to a Certification
> Authority (CA) that is not started.
> - You do not have the permissions to request certificates from the
> available CAs.
> ---------------------------
> OK
> ---------------------------

> Apparently, as we have googled around, this message seems to have
> several possible reasons to show up. We've tried changing all kinds of
> permissions everywhere (templates, active directory) but without any
> luck.

> Would anyone have any clue of how work around this?

> Any help is apreciated.

> Thanks
> Julio


.

Relevant Pages

  • Re: Windows 2003 - Child domain cannot request certificate from root domain
    ... replication configuration for the windows network? ... permissions on the certificate template you want to use. ... domain to request certificates from the CA> ...
    (microsoft.public.windows.server.security)
  • Re: Windows 2003 - Child domain cannot request certificate from root domain
    ... replication configuration for the windows network? ... permissions on the certificate template you want to use. ... domain to request certificates from the CA> ...
    (microsoft.public.windows.server.security)
  • Re: PKI - AD CS - 2008 - Test Lab setup having issues:
    ... Auto Enrollment is not working for computers, however, I can manually ... did you define v2 or v3 certificate templates that assign the ... user/computer/group Read, Enroll, and Autoenroll permissions. ... Is the Web Server certificate template available for enrollment at the CA? ...
    (microsoft.public.security)
  • Re: PKI - AD CS - 2008 - Test Lab setup having issues:
    ... I installed ADCS, ocsp, NDES, and web enrollment on LH_PKI1 for test purposes. ... In addition, did you define v2 or v3 certificate templates that assign the user/computer/group Read, Enroll, and Autoenroll permissions. ... Does the user have Read and Enroll permissions on the Web Server certificate template. ...
    (microsoft.public.security)
  • RE: LDAP over Secure Sockets Layer (SSL) will be unavailable at this t
    ... So i'm trying to use the certificate enrollment tool on the read only domian ... You do not have permissions to view this type of certificate" ... Running at server 2003 operational level. ...
    (microsoft.public.windows.server.active_directory)
Quantcast