We are having difficulties issuing our Domain Controller a PKI certificate from our Certificate Authority. Both systems are running Windows Server 2008 x64 Standard edition, and apart of the same domain. The CA is running Active Directive Certificate Service (ADCS). We have set the permissions of the certificate templates on the CA to allow any user and domain controller to read, enroll, and auto-enroll. When we use the MMC certificates snap-in on the DC to request the certificate there are no certificate templates available for selection. All of the templates are grayed out and marked unavailable. We can read new templates that were created so we believe there is an underlying permissions issue stopping use from making the request.Is there a way to put the template on the certserv website on the CA so that the DC can access the site and request the cert that way? Permissions seem to be the issue when using the MMC route.

Check over the CA's configuration. The defaults should work forDomain Controller certificates, but just take a glance to make sureitis configured toissue the certificate. Make sure that the CA is configure to issue the Domain Controller certificate. Within the Certificate AuthorityMMC, open the Certificate Templates folder and verify that the "Domain Controller" certificate is in the list. If it is no, right-click Certificate Templates and select New Certificate Template To Issue. From the list, select the Domain Controller template and click OK. Verify that the security of the CA is configure to allow"Domain Controllers" global group the "Request Certificate" permission. Right-click on theCAin the Certificate AuthoirtyMMC and select Properties. Click on the Security tab and check that DOMAIN\Domain Controllers is listed with the allow"Request Certificates" permission.

Thanks for the suggestion. The domain controller cer template was in the list, so that was ok. The somain controllers global group did not have any permissions at all (however we were able to see all the certs so I assume somewhere the DC had read permission), after giving the DC permission nothing changed. When we attempt to request a cert the initial box is blank, however after clicking the see all box at the bottom, we can view all the certs, but they are greyed out and unavailable.

When you open the Certificates MMC, are you specifying the "My user acccount"or "Computer account" certificates store? Domain Controller certificate can only be issued to a computer, thus you must open the "Computer account" certificate store when performing the request. The template will be unavailable when requesting under the "My user account" store.If you are using the correct store for the request, check thereason of whythe Domain Controller certificate template is unavailable.The certificate request wizard provides a reason just below the certificate template name and the status (Available or Unavailable). For example, you might see something like: "The specified role was not configured for the application. This type of certificate can be issued only to a computer."The permissions for viewing the certificate types are stored on the templates in Active Directory. In addition to those permissions, the requesting account must have permissions on the CA to request certificates. If you do not have permissions, you will see something like this in the reason for whythe certificate is unavailable: "A valid certificate authority (CA) configured to issue certificates based on this template cannot be located, or the CA is not trusted." Since yougranted "DOMAIN\Domain Controllers"the "Request Certificate"permissions on the CA, you should be good on that side.If everything checks out OK, you may be running into some other problem that may be a little more difficult to troubleshoot. The reason I say this is that typically when you bring an Enterprise CA online inthe domain, the domain controller(s) automatically enroll a Domain Controller certificate, withoutuser interaction. If this is the case, I imagine you should see something in either the Application or SystemEvent Viewer logs.

I was using the computer account. I will double check the error I am given and get back to you.

The error is permissions based. All templates are unavailable with the error "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to view this type of certificate". On the ADDC I am logged on as the administrator user, and have given full permissions to the specific template I would like to enroll with for that user, and even the computer.

You can verify that the permissions are in fact being set by running:dsacls "CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"You should get back a list that includes:Allow DOMAIN\Domain Controllers EnrollAllow NT AUTHORITY\Authenticated UsersSPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECTDsacls.exe can reset permissions on an object back to the default for that object class. For example, to reset the Domain Controller template back to the defaults you would run:dsacls "CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" /resetDefaultDACLHope this helps some, for I may be running out of ideas.

I went a head and rebuilt the CA. Luckily we were early in our build so data loss was not an issue. For some reason this worked. I am now able to set permissions for the templates, and more importantly am able to request the certs from the other machines. Thanks for your help though Brandon.Quick question though, how come on the CA machine we do not have access to all the templates? We are running all Server 2008 and theAD forest is set at the 2008 functional level. It is not a big deal (at least not yet anyway) because we were able to get by with what we do have access to.

Are you running Standard or Enterprise Edition? I cannot say for certain about 2008, but in Windows 2003, you only getaccessto alltemplates with Enterprise Editition. Iissue "RAS and IAS Server" certificates within my organization, and I know for sure that templateis only available with an Enterprise Edition CA.

That could be the issue. We are running Server 2008 Standard ed. Thanks again for your assistance.