On a fresh new 2008 r2 enterprise server which has been made apart of the domain and i want to make it my Enterprise CA. What services and or roles have to be inplace before i set up AD CS. Do i have to add the role for AD DS to make the server a full funstional domain controller and then add the AD CS role or is there another step missing that i am not seeing in the documentations and other threads that have been posted. My account is a member of the domain/enterprise admins but "enterprise root CA" option still not available. Any advise would greatly be welcomed.

On Thu, 5 May 2011 23:33:24 +0000, Lester Daniels Jr wrote: On a fresh new? 2008 r2 enterprise server which has been made apart of the domain and i want to make it my Enterprise CA. What services and or roles have to be inplace before i set up AD CS. Do i have to add the role for AD DS to make the server a full funstional domain controller and then add the AD CS role or is there another step missing that i am not seeing in the documentations and other threads that have been posted. No. My account is a member of the domain/enterprise admins but "enterprise root? CA" option still not available. Check and recheck the group membership. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca This fortune soaks up 47 times its own weight in excess memory.

Paul I didi check and recked and still get the same results. Server is a member of the AD domain and i am logging on with a Domain account and not the local admin. Could it be a result of a bad install or a glitch maybe in the software?? Thanks

On Fri, 6 May 2011 12:23:08 +0000, Lester Daniels Jr wrote: I didi check and recked and still get the same results. Server is a member of the AD domain and i am logging on with a Domain account and not the local admin. Can you describe your AD environment? Could it be a result of a bad install or a glitch maybe in the software?? Not likely no. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Interface: The opposite of "Getouttamyface."

Hi, According to the description, the current issue is the Enterprise Root CA option is disabled while installing CA. First, please make sure you were using the user was a member of the Enterprise Admins group, you can confirm it by using the dsquery user and dsget user tool. Please also verify that CN=Public Key Services container is there and Enterprise Admins have full control on it. Refer to: 1. Click Start, click Run, type Adsiedit.msc, and then click OK. 2. Expand Configuration, and then expand CN=Configuration,dc= Domain Component,dc= Domain Component 3. Under CN=Services, Find CN=Public Key Services 4. Right click on CN=Public Key Services, check the permission by going to the Security tab. For more information, please refer to the following link: http://support.microsoft.com/kb/938613 As the LDAP bind specifically requires a GC, please verify that GC is registered in DNS. How many DCs are there in your environment? Did you encounter any error on the DCs and this member server? Please check the DNS Settings on DCs and this server. If no clue is found, please refer to the following steps to enable the Certificate Services Debug Logging. Refer to: certutil.exe -f -setreg ca\debug 0xffffffff net stop certsvc net start certsvc Review %SystemRoot%\certocm.log. Look for a line looks like this: IDS_ENTERPRISE_UNAVAIL_REASON: Enterprise CA option availability status: 0x3(3) Any progress? Thanks. NinaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I appreciate your help. Yes the user account is a member of the enterprise admins group and i did confirm that by usingthe dsquery user and dsget user tool. We have gone back over the install and the Server is a part of the domain and everything. I will take a look at the reest of the settings and see what we come up with. For the present i have AD CS running on another server that is apart of the domain and it is up and running. Just have a few issues with the certs taht is not adding up. We are going to come back to this server and reinstall everthing if need be and get it set up as a 2nd CA. will keep you posted Thanks Lester

ok. My 2008 r2 server that we were unable to get set up earlier i want to set up as my second Enterprise CA. But have the questions in regards to the DC part again. I currently have two DC,s running with my CA set up on my DC01. Now i do not want this third server as a DC. Do the AD DS role need to installed on this server for the Enterprise CA to work properly. This CA will also issue and manage certificates on my domain. Now in order for it to do this properly it require the AD DS role which requires it to be a DC. My Goals: 1. Set up Second Enterprise CA (Concern is what roles do and do not need to be set up) 2. Do not want this to be another DC 3. Plan to migrate current Ca, CS to new CA Looking and reading other threads, but a little clarity is always helpful.

With my setup this third server would have to be a DC in order for enterprise to be installed on it due to thatfact that we do use AD DS to help issue and manage our certificates. So, the answer to the million dollar question is Yes. A server does have to be a DC and a member of the domain in order for the Enterprise installation to be completed for server install as a Root or subordinate Enterprise CA. All of my user rights for this server are as they should be and it is a domain member and can connect to a writable DC I thank you for your post and all your help THank You

On Fri, 20 May 2011 13:01:10 +0000, Lester Daniels Jr wrote: So, the answer to the million dollar question is Yes. A server does have to be a DC and a member of the domain in order for the Enterprise installation to be completed for server install as a Root or subordinate Enterprise CA. Actually this is most definitely wrong, a CA does not need to be, nor should it be domain controller. See your other thread for what I think you were doing wrong before. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Program: What commercials try to do to us.

Paul, I have read my other thread and the threads that have been posted by other users before me and in all of the threads the Entrprise CA is installed on a server that is a DC. Even when you go through the installation steps for installation of a Enterpise Ca on server 2008 the options for standalone and enterprise root ca state; "For Enterprise Root CA the server needs to be a member of the domain and a active DC if you plan to use Active Directory Domain Services to issue and manage Certificates". Choose Standalone CA if you do not plan to use Active Directory Domain Services, but you can still issue certificates through Active Directory by using GPO. I tried this installation serveral time to install an Enteprise CA on a server 2008 R2 without it being a DC and With the server not a DC the Enterprise Option remains greyed out. When that server is promoted to a DC the Enterpise CA is not greyed out and you are able to select that option. Now all my accounts are members of the appropriate group with the right credentials. I understand why you say that the CA should not be on a DC but when going through the installtion of the Enterprise CA on a server 2008 R2 that is a member of the Domain you can only do standalone if is not a DC. Can you explain why this is so???? Thank You Lester Daniels Jr

On Tue, 31 May 2011 13:01:42 +0000, Lester Daniels Jr wrote: Paul, I have read my other thread and the threads that?have been posted by other? users before me and in all of the threads the Entrprise CA is installed on a server that is a DC. Even when you go through the installation steps for installation of a Enterpise Ca on server 2008 the options for standalone and enterprise root ca state; "For Enterprise Root CA the server needs to be a member of the domain and a active DC if you plan to use Active Directory Domain Services to issue and manage Certificates". Choose? Standalone CA if you do not plan to use Active Directory Domain Services, but you can still issue certificates through Active Directory by using GPO. That's actually no exactly what the text on the page says. The exact text is: Enterprise. Select this option if the CA is a member of a domain and can use Directory Service to issue and manage certificates. Note that there is no mention of a requirement that an Enterprise CA be a domain controller. Also, regardless of what you think you may have found in other threads, not every mention of a Enterprise Root CA in these forums has it installed on a domain controller. I tried this installation serveral time to install an Enteprise CA on a server 2008 R2 without it being a DC and With the server not a DC the Enterprise Option remains greyed out. When that server is promoted to a DC the Enterpise CA is not greyed out and you are able to select that option. Now all my accounts are members of the appropriate group with the right credentials. I asked you in another thread to describe what your forest looked like and you never responded. 99.9% of the time when this option is unavailable it comes down to missing membership in Enterprise Admins. It could also have been that the server wasn't properly joined to the domain in the first place or that there was some kind of communication problem between the server and the domain. I understand why you say that the CA should not be on a DC but when going through the installtion of the Enterprise CA on a server 2008 R2? that is a member of the Domain you can only do standalone if is not a DC. Can you explain why this is so???? Without seeing your environment and exactly what you were doing, no, I can't tell you for 100% certain why you were unable to select the Enterprise option. I do this for a living and I can assure you that there was something wrong in your environment that was preventing you from selecting that option. I know you offered for me to have a remote look at your environment, but that's getting way beyond the free, volunteer assistance that I provide on these forums and just isn't something I'm willing to do. We've also beaten this subject into the ground and I can assure you with 100% certainty of 2 things here: 1. An Enterprise CA, root or otherwise, does not have to be a domain controller, it simply needs to be a member of a domain. 2. If the Enterprise option was not available then you had a problem in your environment that could have been fixed without making the server in question a domain controller. Beyond that, I really have nothing more to say on this subject so I'm done with all of these related threads. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Real programs don't eat cache.

thank you for your replay and from the sounds of it you sound like you are offended by what was said. No one is trying to upset you just We were just asking for clarification and telling you what we werre geeting back from the installation. The message that i posted "For Enterprise Root CA the server needs to be a member of the domain and a active DC if you plan to use Active Directory Domain Services to issue and manage Certificates". is what was on the screen during the install. The account being used is apart of the Enterprise Admins and the server is a member of the domain with proper communication and everything. No need to take things personal....just trying to get clarification that's hit. All we did was ask a question and posted our results and asked if anyone had a answer to give some insight to this. NOTHING PERSONAL...JUST A QUESTIONLester Daniels Jr

On Tue, 31 May 2011 14:53:39 +0000, Lester Daniels Jr wrote: thank you for your replay and from the sounds of it you sound like you are offended by what was said. No one is trying to upset you just You really, really need to avoid trying to read feelings into a forum posting. I'd need to care a whole lot more about this issue for me to be offended or upset. Believe me that a post from a random Internet user is not going to get me even remotely upset. We were just asking for clarification and telling you what we werre geeting back from the installation. The message that i posted "For Enterprise Root CA the server needs to be a member of the domain and a active DC if you plan to use Active Directory Domain Services to issue and manage Certificates". is what was on the screen during the install. No Lester, that's not what it says on the installation wizard screens. What it says is exactly what I quoted to you in my last response. Although I've been doing this since before Windows 2003 was released, and I've done thousands of installs you seem to want to argue this point, and I really don't know how many ways I can tell you that you're, plain and simply wrong, so perhaps if I show you, you'll stop arguing about this: The account being used is apart of the Enterprise Admins and the server is a member of the domain with proper communication and everything. AS I said before, you had some issue in your environment that was preventing you from being able to select Enterprise, but promoting the computer in question was not the answer, nor is it recommended, nor necessary. No need to take things personal....just trying to get clarification that's hit. All we did was ask a question and posted our results and asked if anyone had a answer to give some insight to this. And I've answered this question repeatedly and you repeatedly reject the answer so I'm not going to bother again. NOTHING PERSONAL...JUST A QUESTION Shouting is not necessary. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Machine-independent: Does not run on any existing machine.

Paul, Did not mean t shout, that was a typo. I appreciate your reply and no i am not rejecting your answer just stating the results. I am not as u stated a random internet user. As i stated earlier this situation required that it be a DC, for what reason we do not know but it did. And that is with every per installation documentation. Thank You. Lester Daniels Jr

On Tue, 31 May 2011 18:05:17 +0000, Lester Daniels Jr wrote: Did not mean t shout, that was a typo. Right. I appreciate your reply and no i am not rejecting your answer just stating the results. And you seem to be neglecting the fact that there is a huge difference between a member server needing to contact a DC over the network versus installing AD CS directly onto a DC. There are any number of network related issues that could have been causing your problems that simply became non-issues when you promoted the member server to be a DC. Jumping to the conclusion that an Enterprise CA needs to be a DC based on your results is a huge logical mistake. I am not as u stated a random internet user. No offense, but to me that's exactly what you are. There's nothing derogatory implied, it simply is what it is. As i stated earlier this situation required that it be a DC, for what reason we do not know but it did. And that is with every per installation documentation. And you also erroneously stated that the install wizard states that it needs to be a DC, which I've quite clearly proven to not be the case, but you've neglected to acknowledge that you were wrong about that. You are equally wrong about the documentation. I challenge you to find a single piece of documentation from Microsoft that states that an Enterprise CA must be installed on a domain controller. Again, I know for a 100% certainty that you're not going to be able to find any such documentation because it simply isn't true. You have started this whole thing with an error in logic and seem to be bound and determined not to listen to those of us who work with AD CS on a daily basis telling you that you're wrong, and you refuse to admit that we're correct. I really don't know how many more ways to tell you that there was something wrong on your initial setup, and while promoting the member server to a DC may have resolved whatever that issue was, it is not a requirement for an Enterprise CA to be a DC. Whatever issue you originally had could have been corrected without making the member server a domain controller. If you want me to examine your environment, then send me an email and I'll let you know what my consulting rates are. We have a minimum billing period of 40 hours. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca If at first you don't succeed, you must be a programmer.

we offered you that option to take a look and waited on your response. if i made a mistake then i did. Im not trying to get no recognition or nothing like that. Like i said before this situation called for that. and that was it. Understand what u say about it not being on a DC and we totally understand all the reasons that it should not be. Trust me ..we do not want it on a DC. Your replys and points that you stated have been well appreciated and welcomed with open arms. Again. We thank youLester Daniels Jr

On Tue, 31 May 2011 19:07:32 +0000, Lester Daniels Jr wrote: we offered you that option to take a look and waited on your response. You offered me a request to provide you with free consulting services. As I've already explained there's a huge difference between answering questions in a forum and actually providing consulting services. Understand what u say about it not being on a DC and we totally understand all the reasons that it should not be. Trust me ..we do not want it on a DC. You've pretty much exhausted the troubleshooting options available through free support via a forum. If you truly want to resolve the problems you have in your environment then IMO you're going to either have to open a paid incident with Microsoft's PSS or hire a knowledgeable consultant to help you. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca A bad random number generator: 1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1