Hi,I am logged in as Ent Admin, Domain Admin, Schema Admin...and am trying to remove an Enterprise Sub CA installation that failed..using http://support.microsoft.com/kb/889250When I get to step 7 and execute: certutil -viewdelstore ldap:///CN=NtAuthCertificates,CN=Public Key Services,cn=services,cn=configuration,DC=forestname?cACertificate?base?objectclass=certificationAuthority certutil -viewdelstore ldap:///CN=NtAuthCertificates,CN=Public Key Services,cn=services,cn=configuration,DC=forestname?cACertificate?base?objectclass=pKIEnrollmentServiceI get this error:CertUtil: -viewdelstore command FAILED: 0x80070005 (WIN32: 5)CertUtil: Access is denied.When I run this, I get no feedback from AD:certutil store -? | findstr "CN=NTAuth"I have verified that Ent Admin & Dom Admins have Full Control on: CN=Public Key Services,cn=Services,cn=ConfigurationAny ideas?Thanks

Hi, Thank you for posting here. According to your description, I understand that there is error when trying to run "certutil viewdelstore" command. If I have misunderstood the problem, please don't hesitate to let me know. Please note the syntax in KB 889250 is incorrect. Please try to add quotation marks and test: certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,cn=services,cn=configuration,DC=ForestRoot,DC=com?cACertificate?base?objectclass=certificationAuthority" Please replace DC=ForestRoot,DC=com accordingly. Also, run Certutil store, if we cannot find any store, we dont need to run certutil viewdelstore. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Installation Issue fixed. I recreated the missing "CN=Public Key Services" sub-containers using an .ldf file. The I reset the permissions on the "CN=Public Key Services" container to default state. Cleaned up the actual Subordinate CA server (files, folders & registry). Reinstalled the Sub CA; obtained a certificate from the offline root CA. Published the root ca in AD. Pkiview.msc shows that everything is 100% healthy. NEXT PROBLEM:Event viewer shows these4 warnings: The "Windows default" Policy Module logged the following warning: The DomainControllerAuthentication Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). The "Windows default" Policy Module logged the following warning: The DomainControllerAuthentication(v0.0): V2 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). The "Windows default" Policy Module logged the following warning: The DirectoryEmailReplication Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168).The "Windows default" Policy Module logged the following warning: The DirectoryEmailReplication(v0.0): V2 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). Some Errors: Active Directory Certificate Services could not create an encryption certificate. Requested by ADS\username. The parameter is incorrect. 0x80070057 (WIN32: 87). I successfully executed the following command: >certutil -installdefaulttemplates (successfully executed). But it did not get rid of the error messages.Thanks

In addition I found this interesting (maybe related) error in Event Viewer: "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}"I then tracked {D99E6E74-FC88-11D0-B498-00A0C90312F3} in the registry to the CertSrv Request Object. I then started DCOMCNFG (as Administrator UAC), navigated to that object, clicked the Security tab, but all the fields are greyed out, so I cannot modify or even check them.

I also tried this procedure, there were no obvious errors in the result page:Identify and test a cryptographic providerTo perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.To identify and test the cryptographic provider you are using:1.Open a command prompt window.2.Type certutil -getreg ca\EncryptionCSP and press ENTER.3.Type certutil -csp -csptest and press ENTER. Replace providername with the provider identified in the output of step 2.Verified that this is correct:2.Go to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA Name\EncryptionCSP\Provider.3.Change the listed value to Microsoft Software Key Storage Provider.Looking forward to your feedback.Regards.

Hi, Thank you for update. Based on the current information, I suggest trying the steps below for troubleshooting. Log on with a Enterprise Admin. a. Click Start, click Run, type cmd , and then click OK. b. At the command prompt, type the following command, and then press ENTER: regsvr32 /i:i /n /s %windir%\system32\certcli.dll c. Type the following commands. Press ENTER after each command. net stop certsvc net start certsvc d. Type exit , and then press ENTER to close the Command Prompt window. For your reference, you may also try the suggestions in KB listed in this article. http://blogs.technet.com/pki/archive/2007/08/06/how-to-re-install-the-default-certificate-templates.aspx Try to test. If the issue persists, open MMC, add Certificate Templates snap-in and check the security tab of templates. Please help to collect the following information for research. A. Download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link: (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en) Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location. B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up. C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]? D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. After collecting, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Since I will only return to the client in a few weeks time, please could we keep this thread open.Will provide feedback asap.Thank you.

Hi Tom, I understand you cannot troubleshoot this problem currently. Please be assured that you can reply to this post any time you have update, we will follow up as soon as possible. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,I tried all your advice, except for this step, as I did not know what it should be:- If the issue persists, open MMC, add Certificate Templates snap-in and check the security tab of templates.In addition I have uploaded the .cab file to http://cid-2535313bbb676c81.skydrive.live.com/browse.aspx/Publicas requested.Look forward to your feedback.Regards,Tom

Hi Tom, Thank you for update. Based on the current information, please follow the article below to check CA components in AD database. http://support.microsoft.com/kb/938613 Make sure all containers all created. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Mervyn,All the containers, as outlined in KB938613, are present.i.e. I did not need to create any of them.Did you manage to have a look at the .cab I uploaded to the SkyDrive?Regards,Tom

Hi, I have checked the log files, but sorry to say, didnt find the root cause. Please help to clarify the following questions: 1. Could you or anyone request Certificates from this CA? 2. If you could request certificates, check if you request: DomainControllerAuthentication Certificate DirectoryEmailReplication Certificate 3. Open CA console, switch to Certificate Templates, could you find DomainControllerAuthentication Certificate and DirectoryEmailReplication Certificate? 4. Did you use original Certificate Templates or duplicate a new template? 5. Right-click Certificate Templates, choose Manage, check DomainControllerAuthentication and DirectoryEmailReplication permissions. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Mervyn,To answer your questions see inline:1. Could you or anyone request Certificates from this CA? > yes, I managed to issue the following: Computer, User, Domain Controller, Web Server2. If you could request certificates, check if you request:DomainControllerAuthentication CertificateDirectoryEmailReplication Certificate> if I look at the /certsrv URL - I can only request the following certificates from the Advanced Certificate Request page:- Basic EFS- User3. Open CA console, switch to Certificate Templates, could you find DomainControllerAuthentication Certificate and DirectoryEmailReplication Certificate?> Correct they are both there4. Did you use original Certificate Templates or duplicate a new template?> Original, did not duplicate anything5. Right-click Certificate Templates, choose Manage, check DomainControllerAuthentication and DirectoryEmailReplication permissions. > Both Templates are as follows:> Authenticated User: Read> Enterprise Read-only Domain Controllers: Enroll, Autoenroll> Domain Admins: Read, Write, Enroll> Domain Controllers: Enroll, Autoenroll> Enterprise Admins: Read, Write, Enroll> Enterprise Domain Controllers: Enroll, AutoenrollRegards,Tom

Hi Tom, It seems current CA is working properly. The error message may be caused by data left by previous CA. Does the error continuously appear now? If not, when did the error appear? Also, please copy out the whole error log and paste here for research. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Mervyn,These4 Warnings occur every time I restart the Certificate Service itself: The "Windows default" Policy Module logged the following warning: The DomainControllerAuthentication Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). The "Windows default" Policy Module logged the following warning: The DomainControllerAuthentication(v0.0): V2 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). The "Windows default" Policy Module logged the following warning: The DirectoryEmailReplication Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). The "Windows default" Policy Module logged the following warning: The DirectoryEmailReplication(v0.0): V2 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). Regards,Tom

Hi, Please run the following command to enable CA debugging log: certutil.exe -f -setreg ca\debug 0xffffffff After that, restart CA to reproduce errors and collect the following logs. %Systemroot%\certsrv.log (Certsrv.exe) Certificate Services %SystemRoot%\certutil.log (Certutil.exe) %SystemRoot%\certreq.log (Certreq.exe) %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup Also run the command below and upload output.ldf file. ldifde -d "CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot,DC=com" -f output.ldf Compress them and use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Mervyn,I have collected the data as requested and posted it to (PKI_Logs.zip):http://cid-2535313bbb676c81.skydrive.live.com/browse.aspx/PublicLook forward to your reply.Regards,Tom

Hi Tom, Thank you for the information. I have reproduced this error if I delete a certificate template under: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ADS,DC=CPUT,DC=AC,DC=ZA Please open CA console and ADSIEDIT.msc, navigate to above location, compare Certificate Templates. Please let us know if there is any difference. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,In the CA MMC, I have these templates:- ACS (I created this one for the Cisco ACS requirement)- Directory Email Replication- Domain Controller Authentication- EFS Recovery Agent- Basic EFS- Domain Controller- Web Server- Computer- User- Subordinate Certification Authority- AdministratorADSIEDIT view has these:- ACS- Administrator- CA- CAExchange- CEREncryption- ClientAuth- CodeSigning- CrossCA- CTLSigning- DirectoryEmailReplication- DomainController- DomainControllerAuthentication- EFS- EFSRecovery- EnrollmentAgent- EnrollmentAgentOffline- ExchangeUser- ExchangeUserSignature- IPSECIntermediateOffline- IPSECIntermediateOnline- KerberosAuthentication- KeyRecoveryAgent- Machine- MachineEnrollmentAgent- OCSResponseSigning- OfflineRouter- RASandIASServer- SmartcardLogon- SmartcardUser- SubCA- User- UserSignature- WebServer- WorkstationGlad you could reproduce the error.Regards,Tom

Hi Tom, Lets try to reset all Certificate Templates: Backup your CA server. After that, stop CA Service and delete all above items in CA Console and ADSIEDIT. In ADSIEDIT, you can delete the "Certificate Templates" container and recreate a new one. Rename C:\windows\certsrv.log file. In CA console, right-click Certificate Templates, choose Manage, you should be prompted to install templates, click Yes. Right-click Certificate Templates again, choose New Certificate Template to issue, choose some templates. After that, start CA service. Check certsrv.log file. If any, please upload the file again. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

HI,This is what I did:1) Backed-up CA2) Stopped CA Service3) Deleted the Certificate Templates via ADSIEDIT4) Renamed the log file5) In CA console, right-clicked Certificate Templates, chose Manage, when prompted to install templates - I did6) Started the CAMervyn - those Event Viewer errors we had earlier are gone !!! Well Done !!!But I now seethe sameDCOM related error, as I mentioned above in these posts: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D99E6E73-FC88-11D0-B498-00A0C90312F3} to the user ADS\tom SID (S-1-5-21-3979957847-3141304955-1949522883-xxxxxx) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.I have mapped the CLSID to the CertSrv Request Component. And when I try and change the Security tab, all the options are greyed out (in Component Services snap-in).The account I am using is Domain and Enterprise and Local Admin.So do I need to open a new question for this on the forum or will we continue in this post?Thank you,Tom

Hi, Glad to hear CA errors are gone. Regarding the DCOM error, if the following suggestions cannot solve it, its suggested to initial a new post. 1. Click Start, click Run, type dcomcnfg in the Open box, and then click OK. 2. In Component Services, double-click Component Services, and then double-click Computers. 3. Right-click My Computer, and then click Properties. 4. Click the COM Security tab. 5. In the Launch and Activation Permissions area, click Edit Default. 6. Click Add, type Network Service, and then click OK. 7. While Network Service is selected, click to select the Allow check boxes for the following items: Local Launch Remote Launch Local Activation Remote Activation Click OK two times. Please check if the error occurs again. If it still occurs, open Event Viewer, double-click the error entry, click Copy and paste the detailed error message. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Mervyn,Thank you once again for your time and patience in resolving the CA issues.W.r.t. the DCOM errors, I have posted this on: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/239741f3-1ce7-476b-88b0-860d5e1724d2Regards,Tom

Hi, Glad to see Tims suggestion has fixed your problem. If you have other questions in the future, youre welcomed to our forum. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.