HI all,
I have set up a PKI in my multi domain environemnt. I did a two tier setup with an offline root and two issuing CA's.
The issuing CAs were setup by accident in the root with a NON enterprise ADmin account. they were setup with a root domain admin account instead.
I need to understand the implications of this;
What i have seen so far.
1. Cert Publishers group in child domains are empty.
2. Some 2008 DC's are getting the root CA and issued a CA from the issuing CA, but also generate the following evet in event viewer;
Event id 80; Source Microsoft-Windows-CertificationAuthority on a windows 2008 certificate server
Active Directory Certificate Services could not publish a Certificate for request ##### to the following location on server DC.DOMAIN.COM: CN=user,OU=OU, DC=domain,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150E8A, problem 4003
I know this realtes back to cert publishers group.
My question is, what settings would of been missed out by not using an enterprise admin account. Is this something i can add in myslef or do i need to decom the new environemnt and start again.
Other useful bits;
All servers are 2012 STD
the root CA was published to my AD using the -f -dspublish command using a root domain admin account.
Some certs are being issued in child domain but there are numerous warnings logged (as above)
Thanks for your help in advance!