I recently replaced two Win2K3 domain controllers in a child domain with Win2K8 R2 servers (these are the only 2 domain controllers in the child domain). I have an Enterprise CA located in the parent domain. Both child domain controllers are having the same issue when attempting to enroll for a domain controller certificate. On the domain controllers, I get the following error in the Application event log: Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Event ID: 13 Task Category: None Level: Error Keywords: Classic User: SYSTEM Computer: ChildDC.child.parent.com Description: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID 3558 from CAserver.parent.com\CAname (The requested property value is empty. 0x80094004 (-2146877436)). Followed by this one, which has the same time stamp: Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment Event ID: 6 Task Category: None Level: Error Keywords: Classic User: N/A Computer: ChildDC.child.parent.com Description: Automatic certificate enrollment for local system failed (0x80094004) The requested property value is empty. At the same time, I see this entry on my CA server in the AD Certificate Services event log: Source: Microsoft-Windows-CertificationAuthority Event ID: 53 Task Category: None Level: Warning Keywords: Classic User: SYSTEM Computer: CAserver.parent.com Description: Active Directory Certificate Services denied request 3558 because The requested property value is empty. 0x80094004 (-2146877436). The request was for Child\ChildDC$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=ChildDC,OU=Domain Controllers,DC=child,DC=parent,DC=com ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Domain Controllers,DC=child,DC=parent,DC=com' Connectivity from the Child DC to the CA Server seems to be fine. I run the command "Certutil -Ping -Config CAserver.parent.com\CAname" from the child DC and get the following response: Connecting to CAserver.parent.com\CAname... Server "CAname" ICertRequest2 interface is alive CertUtil: -ping command completed successfully. I've searched the forums and the web and can't find anything helpful on this issue. Most of the responses I'm finding are in relation to connectivity issues, where the error is "The RPC Server is unavailable" instead of the "The requested property value is empty" error that I'm getting. I did the exact same thing in another child domain a couple of months before this one and haven't had any of these same issues. Forest, parent domain and both child domains functional levels are Windows Server 2003 (some 2003 DCs still exist in parent domain). There doesn't seem to be anything too critical being affected by this, however I am seeing some effects that I think may be related. Any help would be greatly appreciated.

Hi, Thanks for posting in Microsoft TechNet forums. We can get detail information regarding these three event IDs from the links below: Event ID 13 Automatic Root Certificates Update Configuration http://technet.microsoft.com/en-us/library/cc733970(v=WS.10).aspx Event ID 6 Automatic Root Certificates Update Configuration http://technet.microsoft.com/en-us/library/cc733875(v=ws.10).aspx Event ID 53 AD CS Certificate Request (Enrollment) Processing http://technet.microsoft.com/en-us/library/cc726352(v=WS.10).aspx Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi, Thank you for clarifying the issue for us. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

According to the error message, I suspect the trust is not working properly between your parent domain and child domain. You mentioned you replace DCs in child domain, I just want to check if the DNS forward is working now. Are the new DCs using same IP address with the old DCs? Did you change your DNS forwarder on the parent domain after you replace the DCs? Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

To answer your questions, the new DCs are at the same IP addresses as the old DCs, with different names. I don't have forwarders set up on the parent domain for the child domains - I've never done this before and don't have it set up for the other child domain, which is working just fine. Based on your suggestion, I have set up forwarders to the child domain controllers now, without any change. I do think that we're on the right track as far as DNS and trust relationships causing the issues. I checked my child.parent.com DNS zones (AD integrated) on both the child and parent DCs and found that the serial numbers were way off. I deleted the zone from both the child and parent domains, recreated on the child and waited for it to replicate to the parent, which never happened. In the meantime, I tried resetting the trust both via the AD Domains and Trusts GUI, as well as through the command line via this KB - http://support.microsoft.com/kb/938702/en-us. No luck, as I would continue to get errors about no logon server (when attempting from the child DC) and not finding the domain (when trying from the parent DC). After a couple of hours of waiting, I gave up on waiting for the child DNS zone to show up on the parent and manually added the child.parent.com zone from the child domain, which worked just fine. After doing that, I was able to successfully reset the trust. Rebooted the parent and child DCs and there is no change with the issue. Another thing I noticed is that if I go into the parent AD Sites and Services, under the site for the child domain, neither one of my child DCs are listed - only one of the old DC server names is there. If I do the same on the child domain, the new DC names are there and the old one is gone. I demoted and promoted one of the child DCs to see if it would populate now that I have the secondary DNS zone working and the trust reset. However, there is no change - the parent domain still only lists the old server name. Not sure where to turn next - seems every time I start down one path, I find another issue that may be causing the problem, or may be an effect of the problem...

I still think DNS is the cause. please try to ping child domain name on the parent domain DC, and ping parent DC on the child domain DC. what is the result? there should be deletion for the child domain in the parent domain and there is forwarder on the child DNS. that makes the parent and child can resolve each other. since the CA resides in parent and requestor is child DC, the CA need to retrieve information for the child DC from child domain, please run command below command on the CA server: nltest /dsgetdc:child.parent.com what is the result?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I'm able to ping DCs both ways. I was also able to ping child.parent.com from the parent DC. Attempting to ping parent.com from the child DC resolved to a weird address. It appeared to be an old static DNS entry for an old domain controller that has been gone for many years. I deleted that static address and made sure there were no other similar addresses in DNS and tried again after DNS updated on the child DC. Now when I ping parent.com it successfully pings one of the parent DCs (it has resolved to 3 of the 8 parent DCs at different ping attempts). Results of "nltest /dsgetdc:child.parent.com" appear fine: DC: \\dc02.child.parent.com Address: \\10.1.20.11 Dom Guid: b3addd8e-a20d-4900-b022-04d10558842c Dom Name: child.parent.com Forest Name: parent.com Dc Site Name: CHILD SITE Our Site Name: PARENT SITE Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLO SE_SITE FULL_SECRET WS The command completed successfully Interesting that the CA server lists the correct "Dc Site Name" above, yet if look at any of the parent DC's "Sites and Services," the only record under Child Site is still one of the old DCs. I'm tempted to demote/promote one of the child DCs again to see if there is any change after finding the old DNS entry. The other issues are still there - can't enroll the Domain Contoller certificate, can't add a child domain user to a parent domain group, etc.

I suggest you capture network trace log during certificate enrollment, and we can see which the CA is retriving AD objects from.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I suggest you capture network trace log during certificate enrollment, and we can see which the CA is retriving AD objects from.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I'm not sure what you mean by capturing the network trace log. Do you mean doing a packet capture with NetMon or using the "netsh trace start capture" command? I've run both of those, but don't see anything that helps me figure out where the CA is retrieving the AD objects from.

Yes, I meant capture network packets by ntemon. we should be able to find the whole process of the certificate enrollment. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes, I meant capture network packets by ntemon. we should be able to find the whole process of the certificate enrollment. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.