I've created certificate template using "Computer" one as a source in certificate templates, then created "issuing certificate template" in CA certificate templates section, I already can ask for this certificate manually through mmc on local PC. But what i cannot is to set this sertificate template in group policy "certificate autorequest settings" --> create "new certificate autorequest" and theres no template with the name i given. From what i know i cannot use "Computer" template for autorequests as users/computers mentioned in security tab of it dont have all the privileges needed, i.e. read/issue/autoissue. repadmin'd gpupdate'd , dunno what else.

Automatic Certificate Request (aka ACR) can handle only version 1 templates. If you are using version 2 (3 and 4), you need to configure autoenrollment group policy: http://technet.microsoft.com/en-us/library/cc731522.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I have done that already for both computer and user policies. So it is kinda not working or ? The new machine certificate i made was given to several random machines, members of different organization utins and different domain groups, same with several EFS certificates for users. I added all the groups needed to CERTSVC_DCOM_ACCESS, also checked that the users inside these groups match its type, honestly checked everything, issuing certificates manually to the workstations works without any probs. But i also cant issue personal certificate for my PDC (CA is located on secondary DC) It says - "The certificate request failed because of one of the following conditions: -The certificate request was submitted to a CA that is not started(not true at all) or -You do not have the permissions to request certificates from the available CAs. Again the pc is PDC and user im logged with has all the domain admin roles. Vadims - ure my only hope. Another thing that is confusing me, previous to adding secondary 2008 r2 DC to the domain, i ofc forest/gp/domain prepped, but if i click on domain properties it says : -domain functional lvl: Windows server 2003 -forest functional lvl: Windows 2000 when it should be 2008, or should it actually ? does it matter ?

Ok, i found a moment to reboot the PDC. Right after restart it has got all the personal certificates it shouldve. But autorequest from workstations still doesnt work. And yes im sure, creating the certificate i gave all the rights(read/issue/autoissue) to "domain computers", and yes all pc's in the corresponding OU are members of "domain computers" group ...

you should link a GPO with configured autoenrollment to a domain level. If the template is intended for computers, use computer accounts and groups that contain computer accounts. If the template is intended for users, use user accounts and groups that contain user accounts. Use only global and/or universal groups. Domain Local groups are not allowed. Clients will automatically apply the GPO only after group policy refresh. You can manually initiate autoenrollment trigger by running the following command: certutul -pulse the error "The certificate request was submitted to a CA that is not started" may indicate that you have incorrectly decommissioned previous AD CS installation.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, you are the best. Yes, that was probably kinda simple, though there are some differences between 2003 and 2008 and i honestly did expect default policy to affect my "machines" GPO aswell. Thank you, really. Maybe last question, could i now enable ipsec trough these certificates ? Ok, ill create new topic in "security" section so that it would be more visible.