Hi,
the policy module is requesting the computer object from the wrong DC's in case the requesting computer is member of a domain with an DN that contains the DN of the CA's domain.
Let's assume we have 3 domains, each a single forest and full-trust between 1+2 and 1+3:
1) dc=A1,dc=corp,dc=org
2) dc=A2,dc=corp,dc=org
3) dc=B1,dc=A1,dc=corp,dc=org
The CA ist located on 1).
Requesting a certificate from a computer on 2) works as expected. No problems here.
Requesting a certificate from a computer on 3) fails with the following error:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 1/22/2013 10:08:25 PM
Event ID: 53
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: ca.A1.corp.org
Description:
Active Directory Certificate Services denied request 157 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for B1\B1DC1$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=B1DC1,OU=Domain Controllers,DC=B1,DC=A1,DC=corp,DC=org ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=A1,DC=corp,DC=org'Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
<EventID Qualifiers="33370">53</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-01-22T21:08:25.000000000Z" />
<EventRecordID>2447</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>ca.A1.corp.org</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
<Data Name="RequestId">157</Data>
<Data Name="Reason">The specified account does not exist. 0x80070525 (WIN32: 1317)</Data>
<Data Name="SubjectName">B1\B1DC1$</Data>
<Data Name="AdditionalInformation">Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=B1DC1,OU=Domain Controllers,DC=B1,DC=A1,DC=corp,DC=org ldap: 0x20: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=A1,DC=corp,DC=org'</Data>
</EventData>
</Event>
When looking at the "best match of" information it looks like the CA tried to lookup the computer object on a DC of domain A1 instead of asking a DC on domain B1.
I was unable to find any kind of information about how the CA finds the DC's to query. I expected the CA to use a DNS lookup with the clients domain name to find a DC but this seems not to be the case if CA and client share some part of the DNS namespace.
I have found a similar thread but unfortunately without an answer: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/53d434d3-baad-4530-bd0a-443966948ce8
Is there some way to get this scenario working?