I am trying to setup LDAPS in a 2008 domain following the KB321051. I take the cert to my production domain with a Root CA, and try to submit a request, it tells me ;"The request contains no certificate template information. 0x80094801(-2146875391) Denied by Policy Module 0x80094801, The request does notcontain a certificate template extension or the Certificate Template."If we add[RequestAttributes]CertificateTemplate = DomainControllerAuthenticationwe get:"The DNS name is unavailable and cannot be added to the Subject Alternatename. 0x8009480f (-214875377) Denied by Policy Module."If we addSAN="dns=[servername].edu"we get the same error again.I tried CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2and restarting the service, still no go.I am very new to certs, could someone help me out please :(blankmonkey

I've been doing the same thing in a lab very recently as I wanted to issue a Domain Controller Authentication certificate to a domain controller in an untrusted forest. I came across the same article and struggled with the same error messages!After a bit of searching, I came across a blog post that pointed to this Microsoft article:http://technet.microsoft.com/en-us/library/cc782583%28WS.10%29.aspxAfter using the script and following the notes, I managed to create and install a DC cert and successfully test the connection with LDP.You don't mention what OS your (Enterprise?) Root CA is running under. I have another lab with a 2K8 domain and 2K8 R2 CAs. To install a DC cert on the domain controllers, I just used the Certificates MMC snap-in focused on the Local Computer, right-clicked the Personal container and selected All Tasks / Request new certificate. The wizard takes you through selecting an Enterprise CA and a template that is published by the chosen CA.Steve G

Can you be a bit more specific, this document is huge. I will start reading, but my eyes are starting to glace over. I am a bit new to certs :( blankmonkey

OK, I found the script you were refferanceing, and I ran it. Also read the whole bunch. I get the inf and bat files, but I am still getting the same errors. I suspect I have to add the DSN entry manually into the inf, but can't find the syntax.blankmonkey

Ok, I have run through about every iteration for the inf file that I can think of and this is still failing. On more research, I think this may be an issue with setting up the Enterprise CA on the old domain, I do not think it wants to issue a certificate it doesn't know about. I found this artical, but can't seem to run the dsacls commands, I am getting errors; dsacls "cn=adminsdholder,cn=system,<var>dc=<your domain>,dc=<com></var>" /G "<var><CA's domain></var>\Cert Publishers:WP;userCertificate"No GUID Found for userCertificateThe parameter is incorrect.The command failed to complete successfully.blankmonkey

I recently ran into a similar issue while trying to fulfill a certificate request from a non trusted domain and ran into the same error you mentioned earlier: "The DNS name is unavailable and cannot be added to the Subject Alternatename. 0x8009480f (-214875377) Denied by Policy Module." To resolve that error, follow these steps: On your CA, add the Certificate Templates Snap In to the MMC Open properties on the Domain Controller Authentication Certificate Template Select the Subject Name Tab Change the Radio button to Supply in the request Click OK to close the template Restart certificate services on your CA Also, while your in the template properties, ensure the Minimum Key size matches the "KeyLength" Parameter in your inf file. Finally, I would suggest putting the Template back to its defaults after you successfully generate your cert. Hope that helps. Paul

YES!!!!THANK YOU so much :) I have this posted in several palces, and no one knew what to do. This got me the cert, and I will continue the process.Side question, I tried to do this with the DomainController template, but all the options were greyed out :(blankmonkey

WOOT I go tit all working. one final note, after I got the cert, I imported from the wizard into the personal certs on the local machine. In addition, I also had to add the CA to the trusted CA listing. After that, I was able to use LDP to confirm it is up and working. Thank you to all :)blankmonkey

Yeah, good question. The DomainController certificate template (used for windows 2000 DC backward compatibility) is a V1 template and V1 templates were not configurable other than modifying permissions.