|
Posted by Grovnasch on August 16, 2007, 4:58 am
Please log in for more thread options wrote:
> Microsoft CAs are hard coded to request the Domain Controller certificate.
> WIndows SErver 2003 introduced the Domain Controller AUthentication
> certificate template, which supercedes the Domain Controller.
> My question for you is why you have decided to create your own template,
> rather than using the defaults?
> Brian
>
>
>
>
>
> > Hello everybody,
> > I have the following problem on my AD-Domain (3 Domain Controllers
> > with MS-PKI):
> > all the domain controllers have recurrent errors in the Application
> > Event Viewer that say:
> > "Automatic Certificate Enrollment for local system could not find a
> > valid certificate templete to match DomainControlleras specified in
> > the group policy automatic enrollment object. Enrollment will not be
> > performed."
> > The "DomainController" template is the standard template, which I have
> > removed from the "Certificta templates to issue" container. Besides, I
> > have created a new personnalized DomainController template, called
> > MyDomainController, which is accepted by all the CDs, i.e. all the 3
> > of them have been issued a valid certificate. Nevertheless, all domain
> > controllers still ask for a "DomainController" Certificate, although
> > there is no entry at all in the Default Domain Controller Policy (-->
> > Computer Settings --> Windows Settings --> Security Settings -->
> > Public Key Policies --> Automatic Certificate Request Settings).
> > If I try to reintegrate the "DomainController" template on the CA to
> > --
> >> Certificate Authority --> My CA --> Certificate Templates: New Cert
> > Template to issue, I get the following error: "The template
> > information on the CA cannot be modified at this time. This is most
> > likely because the CA service is not running or these are replication
> > delays. One or more certificate templates to be enables on this
> > certificate authority could not be found. The changes can be saved to
> > Active Directory and retrieved by the CA next time it is started. Do
> > you want to save the changes to Active Directory?".
> > Clicking "Yes" and restarting the CA does not solve the problem...
> > Did anyone have the same problem? Any ides?
> > Thanks in advance,- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -
Hello,
I duplicated the DomainController template to be able to modify
certain setttings while still keeping the original copy.
Autoenrollment with my personnalized MyDomainController template works
fine, I jhust don't understand why the DC's still try to autoenroll
with the DomainController template. It is not specified in either
policy.-
Besides, the DomainController template says in the Certificate
Tempaltes MMC: Minimum supported CA: Windows 2000; Autoenrollment: not
allowed... bizarre that it is not compatible with autoenrollment...
When I try to add the template with certutil -SetCATemplates
+DomainController, it generates the following error:
DomainController: Adding
CertUtil: -SetCATemplates command FAILED: 0x80094813 (-2146875373)
CertUtil: One or more certificate templates to be enabled on this
certification authority could not
be found.
Certutil -Template does not display the DomainController tempalte,
whereas it is shown in the Certificate Templates MMC....
Sven
| 
XML Sitemap