At my work we have set up a test domain on a host server with 4 virtual machines running win svr 2008 r2 enterprise. One domain controller and 3 for CAs. I joined all to the test domain. Installed a standalone root CA. Next when I started installing the enterprise subordinate CA, the option for enterprise ca was grayed out. any suggestions on how to fix this issue?

While installing an Enterprise CA please make sure you have the following pre-requirements: 1) You are logged in as the enterprise Admin. 2) The domain is up(since you are using VM, chances can be that the VM goes to sleep or powers off and hence the DC becomes unavailable.) Check with the above two pre-reqs, you should be able to install an Enterprise CA.

I do log in as enterprise admin and the VM is up and running

You are able to successfully ping the Domain controller from the server machine where you tried installing the Enterprise CA?

yes

Can you pass the certocm.log file. Its present at: c:\windows\certocm.log This file will give you the details on what went wrong.

Also check if the "Public Key Services" containers is present in the Services Container in the Configuration Partition. http://support.microsoft.com//kb/938613

the c:\windows\certocm.log is not there and the adsi edit is empty

So are you saying that Public Key Container is not there? If so then please try the steps mentioned in the above article to create those containers and after that install CA

I cant do the steps because nothing is there

Hi, I understand that the ADSI edit is empty. I suggest we check the article below and confirm that the ADSI edit is properly installed and connected. ADSI Edit (adsiedit.msc) http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx In the meantime, I hope the article below can be useful to you: Active Directory Certificate Services Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx Regards KevinTechNet Community Support

Hi SeeJay87, Yes ADSIEdit.msc remains empty. Please follow the below steps to check it: - Goto Action->Connect To. -On the Connection settings window, select the radio-button "Select Well Known Naming Context" , from the drop down select Configuration. -Then expand Configuration, and then expand CN=Configuration,dc= <var>Domain Component</var>,dc= <var>Domain Component.</var> Check if "Public Key Services" is there under "CN=Services". Check under "Public Key Services" if the above containers(mentioned in the link) are there. Also in your snapshot(2nd), I see some network connectivity issue. Can you check if the network connectivity is fine? Remember, if the machine is not able to contact the DC then Enterprise CA option will be disabled. Few points you should check for this: 1) The server machine is joined to the domain. 2) You have to log on to the enterprise root domain with your enterprise admin rights. 3) The server machine is able to contact the Domain controller, there are no network issues, no firewall rules blocking it, etc. 4)Also just check that you can do nslookup for the domain you have choosen...nslookup <domainname>. This should return the DC IP you have set up

The ADSI edit is installed correctly on my test DC. I checked the network issue. The DNS was set to the loop back address and it was not allowing internet access. I also started pining from the other servers on the host to the DC and it worked but when i pinged from the DC to other servers on the host it failed. I turned off the fire wall and thin the pings worked. I tryed to install the enterprise issue servers, and the same issue is present. All servers are part of the domain but the enterprise option is grayed out.

Is there any more advice i could get for this issue