OK folks I've got a curly one for you. We have a Windows 2003 forest with a root domain and child domain. Schema is Windows 2008, issuing CA is a Windows 2003 server located in the child domain. We're trying to install NDES on a separate Windows 2008 Enterprise R2 server, which is a member of the same child domain. All regular CA functions are working. The installing user is a member of the forest root enterprise admins group, and is also a local administrator on the Windows 2008 member server. As an enterprise administrator, the user has full permissions on all the templates in AD. A dedicated service account has been created in the child domain, and has been granted the appropriate IIS_IUSR group membership and has also been granted "Request" permissions on the Issuing CA. However when we try to add the NDES role, we get as far as installation completion and then receive the following error: Failed to add the following certificate templates to the enterprise Active Directory Certificate Services or update security settings on those templates: EnrollmentAgentOffline CEPEncryption IPSEC (Offline Request) Element not found. 0x80070490 (WIN32:1168) Note I have copied this verbatim, including the slight indent at the bottom. These templates already exist in Active directory. They were created some time in 2007 (probably when I first installed the CA for the customer) and list modification dates which align with when the NDES service is trying to install itself. The certificates are not published for issuance on the CA, but I tried replicating that in my lab and I got a different error (which was easily fixed by publishing the template on the CA). So, yeah, I have tried to replicate this error in a lab by slowly stripping away access rights and I can't replicate it. Help would be much appreciated. It looks like some kind of weird LDAP problem to do with the template objects themselves.

OK I've done a bit more testing. If I delete one or more of the required templates in my lab, I can force the installation to fail with a similar error. In the lab environment, I only get an error message of Element not found. 0x80070490. I don't get any other details, nor do I get the 1168 event ID listed. When I restore the default templates, the error in my lab goes away. Like I say, it's a similar error and I think it's the right direction...maybe. The problem is that with the original error it's not telling me which element isn't found. There's a lot of potential elements which it could be "not finding"!

More testing completed. I found that if I edit the security of a default template and deny my EA account access, it causes the error. But then when I remove the deny entry, I still get the error during NDES installation, and the error only goes away when I re-install the default templates again.

You must enroll the service using the default templates (hard coded). If you want to use custom templates, you must do the following: 1) Install with default templates 2) Verify which stores the templates exist in (some in the service account store and some in the local machine store) 3) Create custom templates (appropriate for each store based on the defaults 4) Enroll the custom templates 5) Delete the certificates based on the default templates Brian

Installing the default templates helped narrow down the problem but did not resolve it. Due to some weirdness in the customer's Active Directory design, we had to grant the specific computer account of the NDES server read access to the default certificate templates ("CEP Encryption" and "IPSec Offline Request"). After that, the installation was successful.