I've been battling an issue with our domain for a couple days now. A little background:
We're attempting to migrate a standalone CA from our Windows 2008R2 system. We stood up two Windows 2019 servers (Root is off domain and IssuingCA is in Azure). Everything was going well by following this guide (https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-3/) and I was able to get the Issuing CA working and functional and issuing certificates just fine. Around that point, we installed the Web Enrollment feature on the Issuing CA and I was trying to figure out why no templates would show up in the IIS portal. At some point I revoked a certificate and that's when things seemed to stop working, we could no longer request certificates via IIS or by using certlm.msc > Request new Certificate -- it just hangs indefinitely and never displays the domain templates.
I removed the Web Enrollment feature and then tried to reinstall the Issuing CA role, but now that won't complete either. None of our clients can request certificates via normal processes -- when selectingNext in the Certificate Enrollment process, it just sits there and hangs indefinitely. This happens on any system, server, workstation, even the standalone CA itself.
The only good thing at this point is that I can still see that the standalone CA is issuing Workstation Authentication certificates via an AutoEnroll GPO, so I know it's still functional, but for whatever reason something we've done in the configuration and hiccup experienced while standing up the Enterprise CA has caused this global issue on the domain.
I've removed what traces I could from ADSIEdit of the published Enterprise CA.
Any advice? I haven't been able to find any logs or indications in Event Viewer that seem related to this or hint at what the issue is.
Michael B Courville