I recently replaced two Win2K3 domain controllers in a child domain with Win2K8 R2 servers (these are the only 2 domain controllers in the child domain). I have an Enterprise CA located in the parent domain. Both child domain controllers are having the same issue when attempting to enroll for a domain controller certificate. On the domain controllers, I get the following error in the Application event log: Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Event ID: 13 Task Category: None Level: Error Keywords: Classic User: SYSTEM Computer: ChildDC.child.parent.com Description: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID 3558 from CAserver.parent.com\CAname (The requested property value is empty. 0x80094004 (-2146877436)). Followed by this one, which has the same time stamp: Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment Event ID: 6 Task Category: None Level: Error Keywords: Classic User: N/A Computer: ChildDC.child.parent.com Description: Automatic certificate enrollment for local system failed (0x80094004) The requested property value is empty. At the same time, I see this entry on my CA server in the AD Certificate Services event log: Source: Microsoft-Windows-CertificationAuthority Event ID: 53 Task Category: None Level: Warning Keywords: Classic User: SYSTEM Computer: CAserver.parent.com Description: Active Directory Certificate Services denied request 3558 because The requested property value is empty. 0x80094004 (-2146877436). The request was for Child\ChildDC$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=ChildDC,OU=Domain Controllers,DC=child,DC=parent,DC=com ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Domain Controllers,DC=child,DC=parent,DC=com' Connectivity from the Child DC to the CA Server seems to be fine. I run the command "Certutil -Ping -Config CAserver.parent.com\CAname" from the child DC and get the following response: Connecting to CAserver.parent.com\CAname... Server "CAname" ICertRequest2 interface is alive CertUtil: -ping command completed successfully. I've searched the forums and the web and can't find anything helpful on this issue. Most of the responses I'm finding are in relation to connectivity issues, where the error is "The RPC Server is unavailable" instead of the "The requested property value is empty" error that I'm getting. I did the exact same thing in another child domain a couple of months before this one and haven't had any of these same issues. Forest, parent domain and both child domains functional levels are Windows Server 2003 (some 2003 DCs still exist in parent domain). There doesn't seem to be anything too critical being affected by this, however I am seeing some effects that I think may be related. Any help would be greatly appreciated.

Hi, Thanks for posting in Microsoft TechNet forums. We can get detail information regarding these three event IDs from the links below: Event ID 13 Automatic Root Certificates Update Configuration http://technet.microsoft.com/en-us/library/cc733970(v=WS.10).aspx Event ID 6 Automatic Root Certificates Update Configuration http://technet.microsoft.com/en-us/library/cc733875(v=ws.10).aspx Event ID 53 AD CS Certificate Request (Enrollment) Processing http://technet.microsoft.com/en-us/library/cc726352(v=WS.10).aspx Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi Kevin, Thanks for the response. I've looked through the links you posted and unfortunately they are not much help. The two regarding Event IDs 6 and 13 have very little information and don't match the errors I'm getting (Product, Source and message fields are all different). I've gone through the TechNet article regarding Event ID 53 and everything appears to check out OK. I think that this may be moot anyway, as I think there is a different issue that is causing the certificate problem. I originally thought that this was an effect of the certificate problem, but I think it's the opposite - this issue is causing it. I believe there is something wrong with the naming in the child domain. The problem shows up when I am in Active Directory on the parent domain. If I attempt to add a user from the child domain to a group on the parent domain, I get an error message that the specified user was not found. This is very odd, as I can first find the user on the child domain, but receive the message when I actually try to add the user to the group. To clarify, here's exactly what I'm doing. Open Active Directory Users and Computers on the parent domain. Double-click a group to open the group properties. Click on the Members tab. Click the Add button. Change the "From this location" field by clicking the Locations button, click the child domain in the list, click OK. Back at the select screen, type in part of the user name and click the Check Names button. At this point, the user is found and the user name is filled in. Click OK and I'm taken back to the Members tab in the group properties. Now when I click either the OK or Apply button, I get the error message, "The specified user was not found. If the user exists on another Active Directory Domain Controller in the enterprise, it may take 15 minutes or more for the user to be replicated to the global catalog." Obviously, this is very odd since I can find the user just fine when I type in part of the name and click the Check Names button. This seems to match up with the Event ID error message that I'm getting - The requester's Active Directory object could not be retrieved. CN=ChildDC,OU=Domain Controllers,DC=child,DC=parent,DC=com ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Domain Controllers,DC=child,DC=parent,DC=com' To me, this is saying that it can't find the CN for the domain controller in OU=Domain Controllers,DC=child,DC=parent,DC=com, so it's trying the closest match, which it figures out is OU=Domain Controllers,DC=child,DC=parent,DC=com. These are an exact match, so I don't know why it's not finding the CN. I am switching gears to try to figure out what is causing this issue and assume that this will fix the certificate issue as well. Once again, any help is appreciated.

To answer your questions, the new DCs are at the same IP addresses as the old DCs, with different names. I don't have forwarders set up on the parent domain for the child domains - I've never done this before and don't have it set up for the other child domain, which is working just fine. Based on your suggestion, I have set up forwarders to the child domain controllers now, without any change. I do think that we're on the right track as far as DNS and trust relationships causing the issues. I checked my child.parent.com DNS zones (AD integrated) on both the child and parent DCs and found that the serial numbers were way off. I deleted the zone from both the child and parent domains, recreated on the child and waited for it to replicate to the parent, which never happened. In the meantime, I tried resetting the trust both via the AD Domains and Trusts GUI, as well as through the command line via this KB - http://support.microsoft.com/kb/938702/en-us. No luck, as I would continue to get errors about no logon server (when attempting from the child DC) and not finding the domain (when trying from the parent DC). After a couple of hours of waiting, I gave up on waiting for the child DNS zone to show up on the parent and manually added the child.parent.com zone from the child domain, which worked just fine. After doing that, I was able to successfully reset the trust. Rebooted the parent and child DCs and there is no change with the issue. Another thing I noticed is that if I go into the parent AD Sites and Services, under the site for the child domain, neither one of my child DCs are listed - only one of the old DC server names is there. If I do the same on the child domain, the new DC names are there and the old one is gone. I demoted and promoted one of the child DCs to see if it would populate now that I have the secondary DNS zone working and the trust reset. However, there is no change - the parent domain still only lists the old server name. Not sure where to turn next - seems every time I start down one path, I find another issue that may be causing the problem, or may be an effect of the problem...

I still think DNS is the cause. please try to ping child domain name on the parent domain DC, and ping parent DC on the child domain DC. what is the result? there should be deletion for the child domain in the parent domain and there is forwarder on the child DNS. that makes the parent and child can resolve each other. since the CA resides in parent and requestor is child DC, the CA need to retrieve information for the child DC from child domain, please run command below command on the CA server: nltest /dsgetdc:child.parent.com what is the result?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I'm able to ping DCs both ways. I was also able to ping child.parent.com from the parent DC. Attempting to ping parent.com from the child DC resolved to a weird address. It appeared to be an old static DNS entry for an old domain controller that has been gone for many years. I deleted that static address and made sure there were no other similar addresses in DNS and tried again after DNS updated on the child DC. Now when I ping parent.com it successfully pings one of the parent DCs (it has resolved to 3 of the 8 parent DCs at different ping attempts). Results of "nltest /dsgetdc:child.parent.com" appear fine: DC: \\dc02.child.parent.com Address: \\10.1.20.11 Dom Guid: b3addd8e-a20d-4900-b022-04d10558842c Dom Name: child.parent.com Forest Name: parent.com Dc Site Name: CHILD SITE Our Site Name: PARENT SITE Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO SE_SITE FULL_SECRET WS The command completed successfully Interesting that the CA server lists the correct "Dc Site Name" above, yet if look at any of the parent DC's "Sites and Services," the only record under Child Site is still one of the old DCs. I'm tempted to demote/promote one of the child DCs again to see if there is any change after finding the old DNS entry. The other issues are still there - can't enroll the Domain Contoller certificate, can't add a child domain user to a parent domain group, etc.

I'm not sure what you mean by capturing the network trace log. Do you mean doing a packet capture with NetMon or using the "netsh trace start capture" command? I've run both of those, but don't see anything that helps me figure out where the CA is retrieving the AD objects from.

Hi, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.