Hi
I migrated an enterprise CA from Windows Server 2003 to Windows Server 2008 R2 und migrated also from CLM 2007 to FIM 2010 CM.
We had a custom policy module running on the old server and i want to run it on the new server too. Unfortunately, I could not find any documentation, about how to register a policy module for AD CS on Windows Server 2008 R2.
The policy module was a .NET 2.0 dll and my predecessor documented, that he used RegAsm.Exe to register the dll on the server. Copying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CAName]\PolicyModules\CLM.Policy
(just the key name is different from the original key) was also necessary. After restarting the certificate service, the policy module used to show up in the list of available policy modules.
I compiled the policy module with .NET 4.0, because it uses FIM DLLs, that are compiled with .NET 4.0. I could register the DLL with RegAsm.exe, and i also modified the registry according to our documentation. The policy module however still doesn't show
up.
Is there any documentation available about how to correctly register a DLL as a policy module or what compile options need to be set in Visual Studio?
I've already looked up on MSDN about policy modules, but it's not much more than how policy modules work in general and a brief documentation about the interfaces, that need to be implemented.
These are the main sources, where I found info about policy modules:

http://msdn.microsoft.com/en-us/library/aa376540.aspx


http://msdn.microsoft.com/en-us/library/aa387348.aspx


http://msdn.microsoft.com/en-us/library/aa388216%28v=vs.85%29

Thanks and Regards,
Gabriel

Need to support users over the internet? click here try our remote control online beta

Hi,

please refer the following articles:

FIM CM and Custom Subject Policy Module

http://blogs.technet.com/b/dmitrii/archive/2010/10/03/fim-cm-and-custom-subject-policy-module.aspx


Configuring the Policy and Exit Modules

http://technet.microsoft.com/en-us/library/cc754528.aspx


Managing Policy and Exit Modules

http://technet.microsoft.com/en-us/library/cc754553.aspx


Hope this helps!

Best regards
Elytis ChengElytis Cheng
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi,
Unfortunately non of these links, state how to register/install a policy module.
I'll get back here when I got it working.
Regards,
Gabriel

Need to support users over the internet? click here try our remote control online beta

Hi,
Some updates about the case:
The Windows Event Viewer showed an error, when I tried to start certsvc. The specific error message in the system log was (Event ID 10016, DistributedCOM):
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D99E6E73-FC88-11D0-B498-00A0C90312F3} and APPID {D99E6E74-FC88-11D0-B498-00A0C90312F3} to the user MYDOMAIN\MYPERSONALUSERID SID
(S-1-5-21-1111111111-2222222222-3333333333-44444) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
I proceeded to treat the error, as described in some MS troubleshooting article and found, that the specified CLSID belonged to both the "CertSrv Request" and "CertSrv Admin" applications.
I wanted to set the permissions for these applications through Component Services Management Console, but could only find "CertSrv Request". I set the permissions for "CertSrv Request" according to the troubleshooting guide and the Error disappeared.
New errors appear however, and Certificate Services is still unable to start.
Event 44, CertificationAuthority (Application Log): The "" Policy Module "" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164).

Event 9, CertificationAuthority (Application Log): The Active Directory Certificate Services did not start: Unable to load an external policy module.
Event 10010, DistributedCOM (System Log): The server {D99E6E74-FC88-11D0-B498-00A0C90312F3} did not register with DCOM within the required timeout.
I did some digging on the last error (which at least, has some more information than the other two) and it seems that some COM-Libraries are not properly registered. I don't know however, what to do now.
Does anybody have an idea, what my next steps should be?

Need to support users over the internet? click here try our remote control online beta