Hi guys
I'm having an issue with Active Directory Certificate Services, hopefully someone can give me a thread to work on as I'm on a tight deadline and initial searches aren't getting me anywhere.
I'll give you some quick background on the environment:
- Windows 2008 R2 Root Enterprise CA 1 (member of root domain)
- Windows 2008 R2 Subordinate Enterprise CA 1 (member of a child domain 1)
- Windows 2012 R2 Member Server 1 (member of child domain 2)
Subordinate CA 1 is used for all certificate templates, requests and issuance.
The CA certificates for the PKI are present in Trusted Root CA's store onMember Server 1.
I have used this Certificate Template (Template 1) to issue certificates for 2 other Member Servers in 2 other Child Domains in this environment without a single problem. It's a simple Template used for SCCM 2012 R2 Distribution Points.
After having (predictable) RPC failures during the MMC request process I had firewall portsTCP 135 and TCP 49152-65535 opened between the requestingMember Server 1 and Subordinate Enterprise CA 1 only.
I am requesting the certificate from the MMC Local Computer Account using Template 1. The entire process is successful, I complete the additional information required by the template (leavingSubject Name blank and using 2 DNS entries for the Subject Alternative Name). This template requires approval so I hop over toSubordinate CA 1 and approve it. Back on Member Server 1 the issued certificate pops in to theCertificate Enrollment Requests store.
This is where the problem lies. Both the Issued By column and the properties of the certificate itself state[not available]. The certificate Certification Path displays only this certificate (no PKI CA hierarchy) so obviously it is not trusted.
So my question is, has anyone seen this before or does anyone have a place to start troubleshooting? I'd prefer to use the MMC console request method if possible as it simplifies administration for me going forward.
Thanks in advance!
James Martel
S3M Technologies