Hi, Running server 2008 r2 enterprise. My (CA) computer is apart of my domain and we are trying to install the AD CS role to this server. When we get to the step to Specify setup type the option to choose Enterprise Root CA is greyed out. This is a freshly installed server. Using the Installation Guide from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=44315bff-b744-4637-a66b-e69b4955ee45. Is there another step by step guide that is for AD CS setup in 2008 R2 Enterprise or is there a step that was missed that needs to be implemented in order for the "Enterprise option" to be selectable.

this is common issue when you log on with local (not domain) administrator. You MUST logon by specifying logon name as: DomainName\UserName or username@domainname.com also make sure if your server is a member of AD domain (not a workgroup member) My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

this is common issue when you log on with local (not domain) administrator. You MUST logon by specifying logon name as: DomainName\UserName or username@domainname.com also make sure if your server is a member of AD domain (not a workgroup member) My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

ok. I tried both of the above combinations and recheked my accounts and permissions and the "Enterprise option still was not made available. and my server is a member odf AD domain. MY version of Server 2008 R2 Enteprise is a volume license. Being that the Volume License are sometimes modified could this be a issue with the installation? Thanks

ok. I tried both of the above combinations and recheked my accounts and permissions and the "Enterprise option still was not made available. and my server is a member odf AD domain. MY version of Server 2008 R2 Enteprise is a volume license. Being that the Volume License are sometimes modified could this be a issue with the installation? Thanks

Do you have Enterprise Admins permissions?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Do you have Enterprise Admins permissions?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

yes i do have Enteprise admin permissions. We have verified all permissions, double checked domain setting and still no change in installation options. ...... Instead have installed AD CS on DC1 and service is up and running with a few minor errors. First being the error from the Certificate stating that "This CA Root certificate is not trusted. To Enable trust, install this certificate in the Trusted Root Certification Authorities Store. My CA Root certificate is issued from my CA. When i get this message and view the certificate it is showing the following General Issued to: PC1-win.domain.com Issued by: PC1-win.domain.com Valid from 5/5/2011 to 11/4/2011 States "You have a private key that corresponds to this certificate ------------------ Details is Good ------------------ Certificate Path PC1-WIN.domain.com Certificate Status: This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities Store. -------------------------------------------------------------- Have read the threads pertaining to this and still not working. Have export an import file to trusted root certification authority. Does this trust need to be establish with thin the domain trust under gpo so that it covers thte complete domain or is this an individual trust that must take place. Or do i need to obtain an outside CA root certificate. Thank You

yes i do have Enteprise admin permissions. We have verified all permissions, double checked domain setting and still no change in installation options. ...... Instead have installed AD CS on DC1 and service is up and running with a few minor errors. First being the error from the Certificate stating that "This CA Root certificate is not trusted. To Enable trust, install this certificate in the Trusted Root Certification Authorities Store. My CA Root certificate is issued from my CA. When i get this message and view the certificate it is showing the following General Issued to: PC1-win.domain.com Issued by: PC1-win.domain.com Valid from 5/5/2011 to 11/4/2011 States "You have a private key that corresponds to this certificate ------------------ Details is Good ------------------ Certificate Path PC1-WIN.domain.com Certificate Status: This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities Store. -------------------------------------------------------------- Have read the threads pertaining to this and still not working. Have export an import file to trusted root certification authority. Does this trust need to be establish with thin the domain trust under gpo so that it covers thte complete domain or is this an individual trust that must take place. Or do i need to obtain an outside CA root certificate. Thank You

It look like your server has some connectivity issues and cannot connect any writable domain controller.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

It look like your server has some connectivity issues and cannot connect any writable domain controller.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

For the present i have AD CS running on another server that is apart of the domain and it is up and running. Going to do another fresh install and see if cannot get this server to connect to the domain properly and configure it for a scond CA. Thank you for your help.

For the present i have AD CS running on another server that is apart of the domain and it is up and running. Going to do another fresh install and see if cannot get this server to connect to the domain properly and configure it for a scond CA. Thank you for your help.

My server connection was fine and it was connected to a writable domain controller. The issue was that when installing CS for Enterprise Root or subordinate the server has to be a member of the domain and a DC. My server was a member of the domain but not a dc. once i made it a DC i was then able to complete the CS installation on this server as a enterprise subordinate. So Back to my original Question earlier "Does a server have to be a DC before Enterprise services can be installed?" The answeerr to that would be yes a server does have to be a member of the domain and a DC before installin AD CS Enterprise. Thank you

On Fri, 20 May 2011 12:55:08 +0000, Lester Daniels Jr wrote: So Back to my original Question earlier "Does a server have to be a DC before Enterprise services can be installed?" No, and from a security best practices perspective an enterprise CA should only be a member server and not also a DC. Whatever problem you were having I can assure you that it wasn't because the computer was not a DC. The answeerr to that would be yes a server does have to be a member of the domain and a DC before installin AD CS Enterprise. No. It does need to be a member of the domain but it most definitely does not need to be a DC. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca The world will end in 5 minutes. Please log out.

On Thu, 5 May 2011 22:23:10 +0000, Lester Daniels Jr wrote: Is there another step by step guide that is for AD CS setup in 2008 R2 Enterprise or is there a step that was missed that needs to be implemented in order for the "Enterprise option" to be selectable. Here's my guess as to what your problem was. You were either using the account named Administrator to log on to the member server or you were using a domain account that had a corresponding local account with the same name. If you logon with what you think is a domain account, and there's a corresponding local account with the same name, like Administrator, the domain name is dropped and the local account is used for logon unless you enter the account name as domain\accountname or accountname@domain.com. Since you were logged in with a local account the Enterprise option for the CA would never be available. After promoting the member server to a DC, there really is no more local account database so it appeared that promoting the box to a DC solved your problem. I can 100% assure you that an Enterprise CA does not need to be a DC, and as I've said before, from a security perspective it should not be a DC. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca The determined programmer can write a FORTRAN program in any language.

Paul, I logon with the account name as domain\accountname and the enterprise option for the CA would never be available. i could select standalone Ca without anyproblems. My server was a member of the domain and connectd to a writable DC. I am using AD DS to issue and manage my certificates and by that means alone the server had to be a DC in order for that Enterprise option to be made available. I could see if i was installing it as a standalone CA for it So on a new server that is a memeber ofthe domain and all account credentials are as they need to be. why would the enterprise option not be selectable then on the server when the server is not a DC and available when it is promoted to a DC. I understand that u say that it should not and does not need to be DC but that is what was required for the Enterprise option to be made available.Lester Daniels Jr

Paul, I logon with the account name as domain\accountname and the enterprise option for the CA would never be available. i could select standalone Ca without anyproblems. My server was a member of the domain and connectd to a writable DC. I am using AD DS to issue and manage my certificates and by that means alone the server had to be a DC in order for that Enterprise option to be made available. I could see if i was installing it as a standalone CA for it So on a new server that is a memeber ofthe domain and all account credentials are as they need to be. why would the enterprise option not be selectable then on the server when the server is not a DC and available when it is promoted to a DC. I understand that u say that it should not and does not need to be DC but that is what was required for the Enterprise option to be made available.Lester Daniels Jr

Paul, If there is a way and a procedures to successfully install ans set up an Enterprise CA, with all the proper login credentials and a member of a domain as part ofthe requirments without it being a DC we would love for you to proivde us with that how to. My boss is even willing to setup an account for you to VPN or remote desktop to our system in order for you show us how it could be done. He is willing to send you this info to your email if needed in order for you to show us how this can be done. By all of the documentation that has been posted and the threads that have been read state that Enterprise works with AD DS and With standalone CAs, you must use Group Policy to add the CA's self-signed certificate to the Trusted Root CAs store on each computer in the domain. Any insight that you can provide to how this process can be successfully accomplished without the CA being a DC. We would greatly appreciate it. Thank You, Lester Information Techology | Network Technician lester.daniels@scsi-ga.comLester Daniels Jr

Hi Lester I was having the same issue and i disjoined the server from domain and joined again. I logged on with a user different from administrator, but that have the same privileges. Now the option Enterprise CA is avaliable and i have installed without issues. i hope i have helped you.... Mauricio

Hi Maurico I thank you for your post and help. The issue has been resolved and i apologize for such a delayed reply to your post. Thank You again LesterLester Daniels Jr

Hi All, I encountered this problem too and could resolve this. The reason is indeed the logged in user does't have enough privileges. Create a new Administrator account or change your user to an Administrator. If you are already an Administrator try this. Make your account a general user account, restart and then again make your account an Administrator and restart again. Now you would see that problem is being resolved. Thanks, Suresh

Hi All, I encountered this problem too and could resolve this. The reason is indeed the logged in user does't have enough privileges. Create a new Administrator account or change your user to an Administrator. If you are already an Administrator try this. Make your account a general user account, restart and then again make your account an Administrator and restart again. Now you would see that problem is being resolved. Thanks, Suresh