On my customer´s network there is a DC and Certificate Services and the OS version is Standalone. All the clients can autoenroll and enroll for certificates less Windows 7 clients. I already did everything and I´m guessing that the reason why it´s not working is because the OS version Windows Standalone. Is it really the problem? What´s the relation TEMPLATES X CLIENTS TO ENROLL? Thanks... Yuri Poloni.

Can you verify a few things. - Are the DC and the CA separate machines or the same machine - If the CA is separate, is it a member of the domain. - Is the CA and enterprise CA or a standalone CA - Are the Windows 7 machines member of the domain/forest, or are they workgroup computers. - How are you attempting the enrollment process? Web enrollment or using the Certificates MMC Brian

Brian, 1 - DC and the CA Enterprise are the same machine and the OS version is Windows 2003 Standart. 2 - Windows 7 machines are domain joined and I´m using auto-enrollment via GPO. Yuri Poloni.

OK, then this is easy 1) Windows Server 2003 Standard only supports V1 certificate templates 2) Autoenrollment is only supported by V2 (and V3) certificate templates 3) Configuring AUtoenrollment via GPO will not work since the CA cannot issue certificates based on V2 certificate templates 4) Your CA can only issue certificates based on V1 certificate templates. It is possible to automatically deploy *computer* certificates by using Automatic Certificate Request Settings. It is not possible to automatically deploy certificates with your current configuration. You must either upgrade the DC to Windows Server 2003, Enterprise Edition or deploy a separate CA running Windows Server 2003, Enterprise Edition, Windows Server 2003 R2, Enterprise Edition, Windows Server 2008 Enterprise, or Windows Server 2008 R2 Standard, or Windows Server 2008 R2 Enterprise. It will not work with your current infrastructure. Brian

Ok... Thanks Brian...

Well... as I´m not an expert on PKI. I would like more considerations from you if possible. Scenario: 1 - DC and the CA Enterprise are the same machine and the OS version is Windows 2003 STANDART. There is only this Subordinate CA to issue certificates to my domain. There are many domains in my forest. Planning: 1 - I´m planning to move a CA on a domain controller to a CA on a different computer (migrating a CA) and keep the domain controller component in place on the original host. 2 - The target machine is a Windows 2008 R2 Enterprise. Is this migration supported? My concernings are about hardware change, roles separation, OS version change (Standart to Enterprise R2) and CA host name change. Thanks, Yuri Poloni.

Well... I just did the migration, but, it´s not issuing certificates do Windows 7 clients yet. When manually requesting the user certificate the error appears: The domain specified does not exist or could not be contacted. I need help... =\ Regards, Yuri Poloni.

I think your network has some basic problems not related to PKI. Run nltest /sc_verify:domain.com at the CA and see whether the computer is even connecting to the domain. Until you can connect to the domain, you are not going to be issuing certs Brian

The problem is that windows 7 and windows server 2008 r2 clients are unable to receive auto-enroll certificates when joined to our domain. Our setup is a little convoluted, but we are a subdomain in a forest, and only the DCs of our subdomain have access to the parent domain. We have a subordinate CA located in our domain that works fine for all other clients (vista, xp, 2003 servers and 2008 servers) but unable to enroll the new OSs. We have the settings set up via group policy: Computer > Windows Settings > Security > Public Key Polcies: When I try to manually request a certificate, on the windows "Before you Begin" I click "Next", on next windows it appears the windows "Select Certificate enrollment Policy" and whats strange is that the enrollment policy just doesnt is showed. When I ran the command "gpresult /r" I saw that the auto-enrollment policy is applied. However the clients get the following error when trying to get a certificate from our subordinate CA: Event ID: 6 Automatic certificate enrollment for local system failed (0x8007054b) The specified domain either does not exist or could not be contacted.

Can you provide more information on "only the DCs of our subdomain have access to the parent domain" Certificate Template information is stored in the Configuration naming context which is part of the "parent domain" I think that this is still an infrastructure issue. It looks like the clients have been blocked from seeing the "parent domain" If they cannot read objects from the domain, they cannot see what certificate templates are available for enrollment. This would cause your issue. Brian

Thanks again Komar... After running Wireshark I noticed that the communication to the ROOT CA was being blocked by a firewall. Regards, Yuri Poloni.