Hi, I setup a lab environment where I'm testing the AD CS stuff before I implement this in production. I have a root domain (msad.loopx.org) and a child domain (sub.msad.loopx.org). For the PKI environment I chose the 2 tier way with a standalone Root CA and an Enterprise Issuing Subordinate CA. The standalone RootCA runs on a workgroup server and the Issuing CA runs on a member server. This member server is joined to the child domain. I want to keep the forest root as clean as possible. Everything is working good so far, the DCs got automatically his certificates. My question is about a warning in the Application log from the Enterprise CA server. Below is the warning that I get. I get this warning for DCs in both domains, the root and the child domain. Active Directory Certificate Services could not publish a Certificate for request 7 to the following location on server fkmsdc2.sub.msad.loopx.org: CN=FKMSDC4,OU=Domain Controllers,DC=sub,DC=msad,DC=loopx,DC=org. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344). ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Should I care about this warning? I don't know where to check to fix this. The Enterprise CA computer was automatically in the Cert Publishers group of the child domain where he is a member of. Maybe someone has an idea? Thanks Marco

Hi, Please refer to the following article and verify that the Cert Publishers group has Read userCertificate and Write userCertificate permission on the computer objects. Certification Authority configuration to publish certificates in Active Directory of trusted domain http://support.microsoft.com/kb/281271 After that, on the CA server, at a command prompt, run the following three commands: certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG net stop certsvc net start certsvc If the issue persists, I think that the CA computer account does not have the Cert Publishers sid in its token. Please restart the CA server and check the result.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for your reply Joson. I already found that 281271 article and tried some parts of it. Some items don't exist in my setup. Like #3 Configure the CA Exit Module to publish certificates to Active Directory. Your magic sentence was "Please restart the CA server...". Actually I never restarted the server after I installed the Enterprise CA. Installation was successful without any notice that a reboot is required. So I didn't reboot it. So this god damn reboot was the solution. There was no need to modify anything manually. Only thing I did was putting the CA server computer account in the "Cert Publishers" group of the forest root domain. He was automatically member of this group in the child child domain where he is a member server. After the reboot when the DCs get their certificates it's published fine in the userCertificate attribute to the DC object in the OU Domain Controllers. Thanks again Marco

On Wed, 23 Jun 2010 10:46:36 +0000, Marco Schirrmeister wrote: Your magic sentence was "Please restart the CA server...". Actually I never restarted the server after I installed the Enterprise CA. Installation was successful without any notice that a reboot is required. So I didn't reboot it. So this god damn reboot was the solution. There was no need to modify anything manually. Only thing I did was putting the CA server computer account in the "Cert Publishers" group of the forest root domain. He was automatically member of this group in the child child domain where he is a member server. After the reboot when the DCs get their certificates it's published fine in the?userCertificate attribute to the DC object in the OU Domain Controllers. This is Windows Security 101. When you add or remove a computer from a group you need to restart the computer in order to get the changed group membership reflected in the access token. Same for a user account, though in the case of a user account, you only need to log off and then log on again to get the updated group membership. FWIW - there's really no need to have the DC's certificates published in the directory. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Thanks for clarification Paul. And yes, everything was working without the published certificate, but I just want clean logs and tried to fix errors and warnings. It publishes the certs by default. I did not enabled this and it's also not enabled in the templates from what I can see.