|
Posted by JulioHM on January 24, 2008, 1:21 pm
Please log in for more thread options
Just read my own e-mail... I sound like a real foreigner!
(don't worry.. i really am one)
Gotta brush up my english.. hehehehe sorry :)
> I'm not quite sure what you mean by "properly"... we're not real
> experts on Windows network management. Where can I find more info on
> replication configuration for the windows network?
>
> We've setup the network ourselves by the lack of a real expert for
> this in this project.
>
> Things seem to be working fine now. We have automatic backups running
> every day, late at night, so if we need should be covered from any
> major disaster :)
>
> Thanks for all the help!
> Julio
>
> wrote:
>
> > It sounds like you have replication problems (have you properly defined
> > sites and subnets?)
> > Brian
>
>
>
> > > Hi,
>
> > > Thanks for the response. Eventually we got it working. We tried all
> > > kinds of permissios (your tip included)... and at the end of the day
> > > we found out that AD had not replicated permissions throughout the
> > > forest. Even though we completely shutdown and restarted ALL machines
> > > and domain controllers in the lab (several times), we had to force
> > > replication by using mmc snap-in "Active Directory Sites and
> > > Services".
>
> > > Browse to "Sites > Default-First-Site-Name > Servers > YOUR_ROOT_DC >
> > > NTDS Settings"
>
> > > Under that, you'll find your child domain controllers. Right click on
> > > each one and select "Replicate Now".
>
> > > This got it all working. Now we know... all you need is the right
> > > permissions on the certificate template you want to use. Even though
> > > we changed permissions on the template, AD was taking much longer to
> > > replicate these settings throughout the forest (apparently this may
> > > take several hours).
>
> > > Thanks a lot!
> > > Julio
>
> > > wrote:
> > >> The main thing is that you have to modify the permissions on the
> > >> certificate
> > >> templates you wish to issue.
> > >> By default, permissions assume a single domain forest.
> > >> You must change the permissions to allow users and computers from a c=
hild
> > >> domain to request certificates from the CA>
> > >> - The certificate templates are edited using the Certificate Template=
s
> > >> console (certtmpl.msc)
> > >> - By default, only Enterprise Admins and forest root Domain Admins ha=
ve
> > >> the
> > >> permissions to edit the certificate templates.
> > >> - The certificate templates are stored in the Configuration naming
> > >> context
> > >> and replicated to all DCs in the forest (requiring the use of either
> > >> global
> > >> groups or universal groups for the permission assignments.
>
> > >> You can use of of two permission strategies.
> > >> 1) Create a custom global group in each domain to represent the targe=
t
> > >> users
> > >> or target computers for the certificate template. Add both groups (ba=
sed
> > >> on
> > >> the fact that you state you have a root domain and a child domain), a=
nd
> > >> assign each group Read and Enroll permissions.
> > >> 2) Create a custom global group in each domain to represent the targe=
t
> > >> users
> > >> or target computers for the certificate template. Add each global gro=
up
> > >> to a
> > >> custom universal group and assign the universal group Read and Enroll=
> > >> permission for the certificate template.
>
> > >> Brian
>
>
...
>
> > >> > Hi,
>
> > >> > We have a forest setup (all servers are win2003) where we have one
> > >> > root domain controller (actresses.net) and one child domain
> > >> > (hot.actresses.net) controller.
>
> > >> > Root domain has an Enterprise CA installed, and we are trying to al=
low
> > >> > computers in the child domain to request certificates from the root=
> > >> > domain. We keep getting the same error message, no matter what we t=
ry.
>
> > >> > After following the Certificate Request Wizard in the MMC Certifica=
te
> > >> > snap-in, the following error message appears.
>
> > >> > ---------------------------
> > >> > Certificate Request Wizard
> > >> > ---------------------------
> > >> > The certificate request failed because of one of the following
> > >> > conditions:
> > >> > =A0 =A0- The certificate request was submitted to a Certification
> > >> > Authority (CA) that is not started.
> > >> > =A0 =A0- You do not have the permissions to request certificates fr=
om the
> > >> > available CAs.
> > >> > ---------------------------
> > >> > OK
> > >> > ---------------------------
>
> > >> > Apparently, as we have googled around, this message seems to have
> > >> > several possible reasons to show up. We've tried changing all kinds=
of
> > >> > permissions everywhere (templates, active directory) but without an=
y
> > >> > luck.
>
> > >> > Would anyone have any clue of how work around this?
>
> > >> > Any help is apreciated.
>
> > >> > Thanks
> > >> > Julio
| 
XML Sitemap