Installed Enterprise CA into root domain now getting errors on child domain DCs when autoenrolling the DC template

Hi all,

    I've hit a potential problem while deploying a two-tier CA PKI. All servers running Server 2012 standard, Offline Root installed as local admin and the Enterprise Issuing CAs were installed using a Domain Admin account rather than an Enterprise Admin.... I read (afterwards) that the account requirements are Enterprise Admin to install the CA role, NDES etc.

The strange thing is all seems to be OK for most certificate requests but I have experienced a few 'funny' events and the CertOCM.log file has LOTS of access denied errors. The main problem seems to be DCs in child domains requesting a cert and, other than the fact some get them and some don't, the event ID 80 is being logged with the following warning:

Active Directory Certificate Services could not publish a certificate for request %1 to the following location on server %4: %2.  %3.%5%6

I've been looking at the following articles (http://support.microsoft.com/kb/281271&http://support.microsoft.com/kb/219059) - adding the Cert Publishers group into the child domain Cert Publishers group but the customer is loathe to try this as a)this is a new clean install and I've just decommissioned their old environment! and b) what else is affected by not installing using the EA account....

Understandable to be honest and annoyed with myself for missing this! (All my other deployments must have been completed using a member of the EA group!!!)

Can anyone please confirm EXACTLY what is modified during the Enterprise CA install (obviously correctly using EA permissions!) and also are there any other implications to following the above articles to get around the problem?

If I can't get an official answer I suspect I will be decommissioning the 2 new Issuing CAs and re-installing. With Enterprise Admin rights this time!!

Thanks in advance,

James.

PS - This is an exert from the CertOCM.log file;

114.5354.949: <2013/8/14, 14:06:12>: End: CCertSrvSetup::SetCADistinguishedName
114.2577.948: <2013/8/14, 14:06:12>: Begin: CCertSrvSetup::SetDatabaseInformation
114.2620.949: <2013/8/14, 14:06:12>: End: CCertSrvSetup::SetDatabaseInformation
114.684.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::InitializeDefaults
109.7915.0:<2013/8/14, 14:06:37>: 0x80070002 (WIN32: 2)
109.7934.0:<2013/8/14, 14:06:37>: 0x80070002 (WIN32: 2)
109.7915.0:<2013/8/14, 14:06:37>: 0x80070002 (WIN32: 2)
401.1317.946: <2013/8/14, 14:06:37>: Opened Policy inf: C:\Windows\CAPolicy.inf
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
109.1077.0:<2013/8/14, 14:06:37>: 0xe0000102 (INF: -536870654)
114.737.0:<2013/8/14, 14:06:37>: 0xe0000102 (INF: -536870654)
454.346.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259)
454.346.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259)
454.346.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259)
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
452.627.0:<2013/8/14, 14:06:37>: 0x80090030 (-2146893776): Microsoft Platform Crypto Provider
454.678.0:<2013/8/14, 14:06:37>: 0x80090030 (-2146893776)
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-GMAC
454.249.0:<2013/8/14, 14:06:37>: 0x80004005 (-2147467259): AES-CMAC
452.722.0:<2013/8/14, 14:06:37>: 0x80090016 (-2146893802): XXXXXXXXXXXXXXXX (replaced as contains NetBIOS name)
112.339.0:<2013/8/14, 14:06:37>: 0x80090016 (-2146893802): Exception at ds\security\services\ca\fs\crypto\cngcryptofactory.cpp(441): NCryptOpenKey(hProv, &hKey, pwszKeyName, nLegacyKeySpec, acquireToOpenKeyFlags(fAcquire))
HRESULT = 0x80090016
114.883.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::InitializeDefaults
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2013/8/14, 14:06:37>: End: CCertSrvSetup::SetCASetupProperty
114.4910.948: <2013/8/14, 14:06:37>: Begin: CCertSrvSetup::SetCADistinguishedName