One of the other admins recently reinstalled our only CA server, and since then a bunch of certificates that were formerly available are no longer issuable. After going to the Enable Certificate Templates dialog, some of the certificates are not listed. The server IS running Windows Server Enterprise 2008 R2 SP1 (I verified this before posting) and the certificates have replicated to all the DCs. Some of the certificate templates in question are default certificates (Workstation Authentication templates) and others are not (The ConfigMgr certificates). Any suggestions on what we might be missing?

Are you only able to add v1 templates but no v2 or v3? /Hasain

We have a few v2 certificates that are enabled for issuing, so we can use v2 (and I'm assuming v3).I know who teaches your children, and I weep for the future generations.

Please check the permissions of the templates not showing up on the add list and make sure that your admin account having the minimum of "read" permission /Hasain

Permissions on one of the templates in question: Authenticated Users: Read Enterprise RODC: Enroll, Autoenroll Administrator: Read, Write Domain Admins: Read, Write, Enroll Domain Computers: Enroll Domain Controllers: Enroll, Autoenroll Enterprise Admins: Read, Write, Enroll Enterprise DC: Enroll, Autoenroll I know who teaches your children, and I weep for the future generations.

That worked. Is there a particular reason why it is forcing us to add the certificate templates from the command line?I know who teaches your children, and I weep for the future generations.

The two methods makes the same changes on the Enrollment Service object so there should not be any different in behavior.

Well, the enrollment command line allows me to explicitly define the certificate I want to put into the deployment list, but the GUI version doesn't list any certificates in it, so I am unable to select them that way. I know who teaches your children, and I weep for the future generations.

How about your clients, are you able to issue a certificate from the template you added using the certutil command? Using certmgr.msc, are your clients able to see the template or is the CA failing requests based on that template? Have you tried to just restart your CA server at any point

I was successfully able to see and enroll in the certificate that I had added using the certutil command. And the templates I added using this DO show up on clients and in the certmgr.msc. The server was rebooted a couple of days ago, after the issue started, but we haven't tried again since then.I know who teaches your children, and I weep for the future generations.

Correct. Luckily we don't add new templates too frequently, so if the the GUI never functions quite right (and that is the only issue we've noticed), I'm fairly sure we can live with it.I know who teaches your children, and I weep for the future generations.

Hasain thank you very much. I didn think that GUI could be one of problems. thank you again for you time, Keli keli