Greetings, community!
We have Clustered CA configuration on Windows Server 2012 R2. It was configured by this instruction: http://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx
It works perfectly without any troubles, until I'd like to add new Certificate Template.
When I try to add/remove any Template to Issue, I get a error:
The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (Win32: 5 ERROR_ACCESS_DENIED )
The changes can be saved to Active Directory and retrieved by the CA next time it is started. Do you want to save the changes to Active Directory?
YES/NO
If I press Yes, the changes will be applied.
Same strange situation with add/remove rights to manage CA:
When I try to add any user,or change current rights on existing users, I get error:
The permissions could not be updated on the CA and have been saved to the registry. You must restart Active Directory Certificate Services for the changes to take effect.
Access is denied.0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
When I apply changes - they are correctly applied, but in Application LogI get EventID 92 with text:
Active Directory Certificate Services could not update security permissions. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED).
I discovered that in instruction about CA Cluster configuring, we have some special steps:
Configuring_the_CA_in_Active_Directory
We should give all CA Custer nodes Full Access permissions on the CA Cluster Name in the Enrollment Services container.
So, when we change Manage Permissions, our nodes are disappear from Enrollment Services container, and Cluster CA nameappear there with Full Access rights. Then we have errors as I wrote above.
Strange, but same situation we have after restarting CA nodes. We don't add new Templates or change Manage CA rights very often, so I can't imagine when it happens first time.
Well, I have some questions:
1. Why It happens? Why CA nodes has been deleted and why CA Cluster Name has been created inthe CA Cluster Name in the Enrollment Services container rights pane?
2. Why CA Nodes are declined when they try to do something? If they are trying to do something from Node name, why they are rewriting rights permissions as CA Cluster Name?
3. What can I do to fix it? How to allow any connections to AD form CA Nodes as CA Cluster Name?
Same error, but no fixes: