Hello, I am in the process of setting up a three tier Cert Services heirarchy with Windows 2008 servers. I have one standalone Root CA, one standalone Policy CA, and one server to be made into an Enterprise CA. I have an nCipher netHSM installed and connected to all three servers. Certificate Services is installed on the Root and the Policy servers, and as far as I can tell, the private key for both of these servers is held on the HSM. My problem is that the third server will not let me install the CA role as "Enterprise". It greys this option out and defaults to "Standalone". Per Brian Komar's 2008 PKI book, I have added the cert and crl files from both Root and Policy servers into the local store of the would be Enterprise CA, and verified they are in the local store. Essentially, I'd like to find out why this server isn't permitted to have an Enterprise CA role installed. Any help is appreciated. Patrick

Patrick, Make sure that the account you are using is a member of the Enterprise Admin group, that is all I can think of at the moment.Isaac Oben MCITP:EA, MCSE

Wonderful, that was it. I feel pretty dumb now. Thanks Isaac!