Hi, I have a two tier CA architecture; with all services running on the sub-CA (Windows 2008R2) directly. I keep getting the below error; I have searched and googled but couldn't find an answer... "The Active Directory certificate enrollment policy provider failed to obtain policy information from Active Directory Domain Services (AD DS). The provider will attempt to read the information again in 1800000 milliseconds. If the problem persists, enable tracing in the web.config file, enable logging by using "certutil -setreg debug 0xffffffe3", restart IIS by using iisreset.exe, attempt to obtain policy information from any client, and then contact Microsoft Customer Service and Support with the information in the trace files and certenroll.log file. A directory service error has occurred." Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-EnrollmentPolicyWebService" Guid="{F64ED6BA-BD9B-4CE1-90FB-7B8765928134}" /> <EventID>9</EventID> <Version>0</Version> <Level>2</Level> <Task>4098</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2012-09-04T18:39:36.271752400Z" /> <EventRecordID>207</EventRecordID> <Correlation /> <Execution ProcessID="2296" ThreadID="1576" /> <Channel>Microsoft-Windows-EnrollmentPolicyWebService/Admin</Channel> <Computer>XXXXXXXXXXXXXXXXX</Computer> <Security UserID="S-1-5-82-298334032-505215659-430106602-887554153-1152551876" /> </System> <EventData> <Data Name="RetryIntervalMs">1800000</Data> <Data Name="Error">-2147016555</Data> </EventData> </Event> I tried to enable the logs, but did not get any messages logged in the SVC account's folder. +--+--+--+--+--+--+--+--+--+--+ Hany Elkady IT Infrastructure Consultant +--+--+--+--+--+--+--+--+--+--+

Hi, Thanks for posting in Microsoft TechNet forums. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi, Thanks for posting in Microsoft TechNet forums. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi, According to error message, I understand you installed Certificate Enrollment Policy(CEP) web service on the sub CA, have this sub CA installed Certificate Enrollment Service(CES)web service? The Certificate Enrollment Policy web service uses HTTPS protocol to communicate certificate policy information to network client computers. The web service uses the LDAP protocol to retrieve certificate policy from Active Directory Domain Services(AD DS) and caches the policy information to service client requests, the certificate policy contains: pKICertificateTemplate pKIEnrollmentService msPKI-Enterprise-Oid For your problem, it seems that the CEP server failed to contact domain controller to retrieve certificate policy. Please check the CEP server can contact domain controllers successfully and perform LDAP querys against these objects above. In addition, refer the article http://technet.microsoft.com/en-us/library/dd759213.aspx to verify if you have configured settings correctly for CEP server. Regards, Diana Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, According to error message, I understand you installed Certificate Enrollment Policy(CEP) web service on the sub CA, have this sub CA installed Certificate Enrollment Service(CES)web service? The Certificate Enrollment Policy web service uses HTTPS protocol to communicate certificate policy information to network client computers. The web service uses the LDAP protocol to retrieve certificate policy from Active Directory Domain Services(AD DS) and caches the policy information to service client requests, the certificate policy contains: pKICertificateTemplate pKIEnrollmentService msPKI-Enterprise-Oid For your problem, it seems that the CEP server failed to contact domain controller to retrieve certificate policy. Please check the CEP server can contact domain controllers successfully and perform LDAP querys against these objects above. In addition, refer the article http://technet.microsoft.com/en-us/library/dd759213.aspx to verify if you have configured settings correctly for CEP server. Regards, Diana Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Diana, thanks for the response. Your understanding is correct; however I am not sure which DC is causing this issue ? How do I find the DC that is causing this connectivity issue, I have 18 DCs, so is there a way to direct the CEP service to talk to only one ? or to have preference for one, so it doesn't try to contact one that is across a WAN link that might be timing out. Or is there a way to increase the time-out ? Thanks P.S. I am not having any issues with the CEP service, as far as I can see, it is working fine, but this error message is coming up like 10 times a day.+--+--+--+--+--+--+--+--+--+--+ Hany Elkady IT Infrastructure Consultant +--+--+--+--+--+--+--+--+--+--+

Hi Diana, thanks for the response. Your understanding is correct; however I am not sure which DC is causing this issue ? How do I find the DC that is causing this connectivity issue, I have 18 DCs, so is there a way to direct the CEP service to talk to only one ? or to have preference for one, so it doesn't try to contact one that is across a WAN link that might be timing out. Or is there a way to increase the time-out ? Thanks P.S. I am not having any issues with the CEP service, as far as I can see, it is working fine, but this error message is coming up like 10 times a day.+--+--+--+--+--+--+--+--+--+--+ Hany Elkady IT Infrastructure Consultant +--+--+--+--+--+--+--+--+--+--+

Hi, Currently the CEP service is working fine, but you are keeping receiving the error message about 10 times a day. We need to enable tracing log to find a clue. I reseached more and want to correct the procedures enabling the debug log, you can follow it: 1. Login to the CEP server, browse to <%windir%>\systemdata\CEP\ADPolicyProvider_CEP_<Authentication Type>, modify the Web.config file, and then add <add key="EventLogLevela" value=""4"/> under <AppSettings>, the events are logged into the following locations: Applications And Services Logs\Microsoft\Windows\EnrollmentPolicyWebService. (You can find it in Event Viewer.) 2. In addition to the trace above, run the command "Certutil -setreg ca\debug 0xffffffe3"(without the quotes) on sub-CA to enable CA debug logging, the log file is in the following location by default: %windir%\certsrv.log. After that, wait the event ID 9 reporting again, then check event log EnrollmentPolicyWebService and the certsrv.log. If you would like, you can paste the tracing log on the thread. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Currently the CEP service is working fine, but you are keeping receiving the error message about 10 times a day. We need to enable tracing log to find a clue. I reseached more and want to correct the procedures enabling the debug log, you can follow it: 1. Login to the CEP server, browse to <%windir%>\systemdata\CEP\ADPolicyProvider_CEP_<Authentication Type>, modify the Web.config file, and then add <add key="EventLogLevela" value=""4"/> under <AppSettings>, the events are logged into the following locations: Applications And Services Logs\Microsoft\Windows\EnrollmentPolicyWebService. (You can find it in Event Viewer.) 2. In addition to the trace above, run the command "Certutil -setreg ca\debug 0xffffffe3"(without the quotes) on sub-CA to enable CA debug logging, the log file is in the following location by default: %windir%\certsrv.log. After that, wait the event ID 9 reporting again, then check event log EnrollmentPolicyWebService and the certsrv.log. If you would like, you can paste the tracing log on the thread. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.