Complicated root CA issue….



=pathfinder=
07-09-2005, 10:53 PM
Ok, we have 6 DC’s. I built 3 in the last year but a previous admin built
the original 3 DC’s. I have an enterprise Root CA, it has issued Domain
Controller certs to the 3 DC’s I built but I can’t get Domain Controller
certs to the original 3 DC’s. I created an enrollment policy for the Domain
Controller certs but only 1 of the original DC’s picked that up.

I really need to get Domain Controller certs on all my DC’s as I am
deploying WPA-Radius WiFi and need to use PEAP to authenticate my users. The
PEAP works fine on a DC that has its cert will PEAP can’t be configured on a
DC with out the cert.

Any ideas on what I can do to force a Domain Controller cert onto the 3
original DC’s?
How do I request a Domain Controller cert manually?

Steven L Umbach
07-09-2005, 10:53 PM
Assuming everything is working correctly you could logon to the domain
controller as a domain admin and then use the mmc snapin for certificates
for computer to request a domain controller certificate. Go to the
personal/certificates folder, right click, select all tasks - request new
certificate and select domain controller certificate. --- Steve


"=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
> Ok, we have 6 DC's. I built 3 in the last year but a previous admin built
> the original 3 DC's. I have an enterprise Root CA, it has issued Domain
> Controller certs to the 3 DC's I built but I can't get Domain Controller
> certs to the original 3 DC's. I created an enrollment policy for the
> Domain
> Controller certs but only 1 of the original DC's picked that up.
>
> I really need to get Domain Controller certs on all my DC's as I am
> deploying WPA-Radius WiFi and need to use PEAP to authenticate my users.
> The
> PEAP works fine on a DC that has its cert will PEAP can't be configured on
> a
> DC with out the cert.
>
> Any ideas on what I can do to force a Domain Controller cert onto the 3
> original DC's?
> How do I request a Domain Controller cert manually?
>

=pathfinder=
07-09-2005, 10:53 PM
Thanks Steven, that did the trick.
one other thing: why is it that if i choose the advanced option and
manually choose a different (subordinate) CA to give me the cert it fails
complaining of "you do not have permission to do this or the CA is not
running"? When i try the process again but choose the default options (uses
the root CA) it all works?

"Steven L Umbach" wrote:

> Assuming everything is working correctly you could logon to the domain
> controller as a domain admin and then use the mmc snapin for certificates
> for computer to request a domain controller certificate. Go to the
> personal/certificates folder, right click, select all tasks - request new
> certificate and select domain controller certificate. --- Steve
>
>
> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin built
> > the original 3 DC's. I have an enterprise Root CA, it has issued Domain
> > Controller certs to the 3 DC's I built but I can't get Domain Controller
> > certs to the original 3 DC's. I created an enrollment policy for the
> > Domain
> > Controller certs but only 1 of the original DC's picked that up.
> >
> > I really need to get Domain Controller certs on all my DC's as I am
> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my users.
> > The
> > PEAP works fine on a DC that has its cert will PEAP can't be configured on
> > a
> > DC with out the cert.
> >
> > Any ideas on what I can do to force a Domain Controller cert onto the 3
> > original DC's?
> > How do I request a Domain Controller cert manually?
> >
>
>
>

Steven L Umbach
07-09-2005, 10:53 PM
I don't know offhand but suspect that the CA you were denied access to is
not configured to use that certificate template or the permissions for that
template do not allow you to request a certificate for that server. You
could use the Certificate Authority Management Console to compare which
templates have been enabled on each CA and compare the permissions
configured. Otherwise verify that you have connectivity to the CA in
question from the domain controller that you are trying to obtain a
certificate by pinging it by IP address and fully qualified domain name and
using the command " certutil -ping -config CAcomputername " to see if the CA
responds as shown in the example below for me doing such from an XP Pro
domain computer. The link below explains some CA troubleshooting
methods. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/03fc472d-4b66-41ee-97a5-5ae181beae2d.mspx

D:\Documents and Settings\Steve>certutil -ping -config server1-2003
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Connecting to server1-2003 ...
Server "CA3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

"=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
> Thanks Steven, that did the trick.
> one other thing: why is it that if i choose the advanced option and
> manually choose a different (subordinate) CA to give me the cert it fails
> complaining of "you do not have permission to do this or the CA is not
> running"? When i try the process again but choose the default options
> (uses
> the root CA) it all works?
>
> "Steven L Umbach" wrote:
>
>> Assuming everything is working correctly you could logon to the domain
>> controller as a domain admin and then use the mmc snapin for certificates
>> for computer to request a domain controller certificate. Go to the
>> personal/certificates folder, right click, select all tasks - request new
>> certificate and select domain controller certificate. --- Steve
>>
>>
>> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
>> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
>> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
>> > built
>> > the original 3 DC's. I have an enterprise Root CA, it has issued
>> > Domain
>> > Controller certs to the 3 DC's I built but I can't get Domain
>> > Controller
>> > certs to the original 3 DC's. I created an enrollment policy for the
>> > Domain
>> > Controller certs but only 1 of the original DC's picked that up.
>> >
>> > I really need to get Domain Controller certs on all my DC's as I am
>> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
>> > users.
>> > The
>> > PEAP works fine on a DC that has its cert will PEAP can't be configured
>> > on
>> > a
>> > DC with out the cert.
>> >
>> > Any ideas on what I can do to force a Domain Controller cert onto the 3
>> > original DC's?
>> > How do I request a Domain Controller cert manually?
>> >
>>
>>
>>

=pathfinder=
07-09-2005, 10:53 PM
I tried using the utility as you mention and here are the responses i get
from one of the 6 DC's I have. This is a DC I build that did receive a DC
cert automatically.
_______________________________________________________________
C:\Documents and Settings\path>certutil -ping -config myCA
Connecting to myCA ...
Server "myCA.domain.com" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

C:\Documents and Settings\path>certutil -ping -config pcvw-udc
Connecting to pcvw-udc ...
Server could not be reached: Access is denied. 0x80070005 (WIN32: 5)

CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Any more ideas?


"Steven L Umbach" wrote:

> I don't know offhand but suspect that the CA you were denied access to is
> not configured to use that certificate template or the permissions for that
> template do not allow you to request a certificate for that server. You
> could use the Certificate Authority Management Console to compare which
> templates have been enabled on each CA and compare the permissions
> configured. Otherwise verify that you have connectivity to the CA in
> question from the domain controller that you are trying to obtain a
> certificate by pinging it by IP address and fully qualified domain name and
> using the command " certutil -ping -config CAcomputername " to see if the CA
> responds as shown in the example below for me doing such from an XP Pro
> domain computer. The link below explains some CA troubleshooting
> methods. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/03fc472d-4b66-41ee-97a5-5ae181beae2d.mspx
>
> D:\Documents and Settings\Steve>certutil -ping -config server1-2003
> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
> Connecting to server1-2003 ...
> Server "CA3" ICertRequest2 interface is alive
> CertUtil: -ping command completed successfully.
>
> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
> > Thanks Steven, that did the trick.
> > one other thing: why is it that if i choose the advanced option and
> > manually choose a different (subordinate) CA to give me the cert it fails
> > complaining of "you do not have permission to do this or the CA is not
> > running"? When i try the process again but choose the default options
> > (uses
> > the root CA) it all works?
> >
> > "Steven L Umbach" wrote:
> >
> >> Assuming everything is working correctly you could logon to the domain
> >> controller as a domain admin and then use the mmc snapin for certificates
> >> for computer to request a domain controller certificate. Go to the
> >> personal/certificates folder, right click, select all tasks - request new
> >> certificate and select domain controller certificate. --- Steve
> >>
> >>
> >> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> >> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
> >> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
> >> > built
> >> > the original 3 DC's. I have an enterprise Root CA, it has issued
> >> > Domain
> >> > Controller certs to the 3 DC's I built but I can't get Domain
> >> > Controller
> >> > certs to the original 3 DC's. I created an enrollment policy for the
> >> > Domain
> >> > Controller certs but only 1 of the original DC's picked that up.
> >> >
> >> > I really need to get Domain Controller certs on all my DC's as I am
> >> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
> >> > users.
> >> > The
> >> > PEAP works fine on a DC that has its cert will PEAP can't be configured
> >> > on
> >> > a
> >> > DC with out the cert.
> >> >
> >> > Any ideas on what I can do to force a Domain Controller cert onto the 3
> >> > original DC's?
> >> > How do I request a Domain Controller cert manually?
> >> >
> >>
> >>
> >>
>
>
>

Steven L Umbach
07-09-2005, 10:53 PM
Hmm. Not quite sure what is going on but what I would try is running the
support tool netdiag on both the CA you are refused access to and the server
you are refused access from. Netdiag will run a battery of tests that will
check among other things network connectivity, dns name resolution and
record registration, dc discovery, kerberos, and trust/secure channel. Dns
or trust/secure channel problems could be a possible cause. I would also run
dcdiag on the domain controller to check for pertinent problems including
dns and replication. You also may want to post in the
Microsoft.public.security.crypto newsgroup. --- Steve



"=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
news:8AC77FBA-D640-4D42-BDFD-B6C00E5847E6@microsoft.com...
>I tried using the utility as you mention and here are the responses i get
> from one of the 6 DC's I have. This is a DC I build that did receive a DC
> cert automatically.
> _______________________________________________________________
> C:\Documents and Settings\path>certutil -ping -config myCA
> Connecting to myCA ...
> Server "myCA.domain.com" ICertRequest2 interface is alive
> CertUtil: -ping command completed successfully.
>
> C:\Documents and Settings\path>certutil -ping -config pcvw-udc
> Connecting to pcvw-udc ...
> Server could not be reached: Access is denied. 0x80070005 (WIN32: 5)
>
> CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5)
> CertUtil: Access is denied.
>
> Any more ideas?
>
>
> "Steven L Umbach" wrote:
>
>> I don't know offhand but suspect that the CA you were denied access to is
>> not configured to use that certificate template or the permissions for
>> that
>> template do not allow you to request a certificate for that server. You
>> could use the Certificate Authority Management Console to compare which
>> templates have been enabled on each CA and compare the permissions
>> configured. Otherwise verify that you have connectivity to the CA in
>> question from the domain controller that you are trying to obtain a
>> certificate by pinging it by IP address and fully qualified domain name
>> and
>> using the command " certutil -ping -config CAcomputername " to see if the
>> CA
>> responds as shown in the example below for me doing such from an XP Pro
>> domain computer. The link below explains some CA troubleshooting
>> methods. --- Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/03fc472d-4b66-41ee-97a5-5ae181beae2d.mspx
>>
>> D:\Documents and Settings\Steve>certutil -ping -config server1-2003
>> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
>> Connecting to server1-2003 ...
>> Server "CA3" ICertRequest2 interface is alive
>> CertUtil: -ping command completed successfully.
>>
>> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
>> news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
>> > Thanks Steven, that did the trick.
>> > one other thing: why is it that if i choose the advanced option and
>> > manually choose a different (subordinate) CA to give me the cert it
>> > fails
>> > complaining of "you do not have permission to do this or the CA is not
>> > running"? When i try the process again but choose the default options
>> > (uses
>> > the root CA) it all works?
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Assuming everything is working correctly you could logon to the domain
>> >> controller as a domain admin and then use the mmc snapin for
>> >> certificates
>> >> for computer to request a domain controller certificate. Go to the
>> >> personal/certificates folder, right click, select all tasks - request
>> >> new
>> >> certificate and select domain controller certificate. --- Steve
>> >>
>> >>
>> >> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
>> >> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
>> >> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
>> >> > built
>> >> > the original 3 DC's. I have an enterprise Root CA, it has issued
>> >> > Domain
>> >> > Controller certs to the 3 DC's I built but I can't get Domain
>> >> > Controller
>> >> > certs to the original 3 DC's. I created an enrollment policy for
>> >> > the
>> >> > Domain
>> >> > Controller certs but only 1 of the original DC's picked that up.
>> >> >
>> >> > I really need to get Domain Controller certs on all my DC's as I am
>> >> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
>> >> > users.
>> >> > The
>> >> > PEAP works fine on a DC that has its cert will PEAP can't be
>> >> > configured
>> >> > on
>> >> > a
>> >> > DC with out the cert.
>> >> >
>> >> > Any ideas on what I can do to force a Domain Controller cert onto
>> >> > the 3
>> >> > original DC's?
>> >> > How do I request a Domain Controller cert manually?
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>


Complicated root CA issue….