[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8203
  • Last Modified:

How do I request a domain controller certificate for my domain controllers?

I have recently setup a microsoft PKI using 2008.  I have an offline ROOTCA and an online issuing CA.  For whatever reason my 2003 ad servers are not automatically pulling domain controller certificates and I was wondering what had to be done to have them either auto-enroll or to request for them.
0
urobins
Asked:
urobins
  • 11
  • 7
2 Solutions
 
ParanormasticCryptographic EngineerCommented:
Are these Enterprise or StandAlone CA's?  They should be Enterprise for what you are trying to do.

You probably need to import the root certificate into the DC's cert store to establish the trust base.  You would want to do this for your users/workstations as well - GPO is usually the easiest way.
Computer Configuration
 - Windows Settings
  - Security Settings
   - Public Key Policies/Automatic Certificate Request Settings
     * Domain Controller

   - Public Key Policies/Trusted Root Certification Authoritiesshow
    - Certificates
     * Add your root cert here


Another thing you can try is from your CA: certutil -pulse

Lastly, I forget if this applies to 2008 but I think it does - it does to 2003 - see if there is a CERTSVC_DCOM_ACCESS security group.  If your CA's are not on a DC this would be a local security group  on the subordinate CA.  If it is on a DC (hopefully it isn't!) then it would be a domain local group.  In this group you would want to include domain users, domain computers, and domain controllers - usually its the DC group that is the stinker here.  If this group does not exist, you can probably ignore this.
0
 
urobinsAuthor Commented:
Yep it is an enterprise issuing CA.  

I don't have the certsvc_DCOM_ACCESS group in AD

A little background.  I have 7 2003 ad controllers and 1 offline root ca and 1 online enterprise issuing ca (these are 2008)  I can pull certs from the box but my AD servers did not auto-enroll.
0
 
urobinsAuthor Commented:
Sorry just re-read for understanding your commend and found the local security group on the CA I put domain users/computers/controllers in there.  I am going to see what happens.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
urobinsAuthor Commented:
Do I need to reboot the AD servers for them to get access?  I still can't request from the AD server and they didn't auto-enroll...

I will try rebooting tonight and repost tomorrow.
0
 
urobinsAuthor Commented:
I rebooted my AD servers and cert server this morning after adding computers/controllers and users to that local group on the cert server and still not auto-enrolling and I still cannot enroll one locally onthe server... any ideas?
0
 
ParanormasticCryptographic EngineerCommented:
Hmm.  Check certsrv.msc and make sure that the Domain Controller or Domain Controller Authentication template is listed in the Templates area.  If not, right click - publish template for that.  I forget if DCA template was a custom one of ours or not offhand, but I think it is standard - we have both published actually - the only difference I see is the template name / OID is different here, so either one should really be okay.

You can right-click templates there again and open Manage which will open up certtmpl.msc.  here you can check the permissions on the template itself - check to make sure everything is good for Read, Enroll and Autoenroll rights for DC's for each of your domains in the forest, and also add group Enterprise Domain Controllers.

After that, restart certificate services on the CA and then do certutil -pulse from the CA and it should push autoenrollment to start.  You can try pulsing from the DC, too, but it normally should not be needed.

Beyod that - make sure you can ping, that there aren't any software or hardware firewalls blocking anything, etc. between the DC and the issuing CA.  Since you can get other certs I don't think this will be the issue tho - presuming a successful request came from one of the DC's.

Double check that you have the root CA cert installed into the trusted root store of the DC's.  You might even try importing the issuing CA cert into the Trusted Intermediates and/or Trusted Roots area as well - sometimes this helps.
0
 
ParanormasticCryptographic EngineerCommented:
If you happen to rpelicate AD over SMTP, you would also want Directory E-mail Replication  template...

Both the DCA template and email replication templates supercedes the older DC template and are all standard.

You can also try adding the SAN value - this is supposed to apply to offline DC's but might help here too.  I usually add this off the bat anyways because we like to have it enabled to include multiple names (fqdn and each hostname) in our web server certs.  It doesnt hurt to have it enabled, you will probably want it anyways if you dont already... on the CA box as admin:
CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
NET STOP certsvc
NET START certsvc

Also, check the CA MMC to see if there might be clues there.  For sanity, make sure there aren't any pending requests :0  Also check the failed request section and see if there are any clues given there.
You can filter issued certs by Certificate Template =

(NOTE: only search for one template at a time - results must meet all filter criteria as AND function, not OR...  also, you must search the OID of the template, not the friendly name- thanks again MS...)
For Domain Controller template:
1.3.6.1.4.1.311.21.8.16415017.12348357.3165076.9686054.11451735.183.2404911085.3277768367

For Domain Controller Authentication template:
1.3.6.1.4.1.311.21.8.16415017.12348357.3165076.9686054.11451735.183.1.28

For Directory Email Replication template:
1.3.6.1.4.1.311.21.8.16415017.12348357.3165076.9686054.11451735.183.1.29
0
 
urobinsAuthor Commented:
OK, here goes.
I checked and the templates are there, currently our only use for this is for user certs for wireless logon and smartcard logon.  Don't plan on doing secure email.  The CA is on the same subnet as the 2 primary ad servers and all can be pinged/rdc'd too etc from each other.

At this point I am really at a loss. The only failed requests I have are for auto-enrolled webservers which I am not supplying the template too right now.  I have no pending requests the  only issued are the ca start for the ca itself, esf and the user and smartcards I have enrolled myself.   At this point I am copmletely stumped.  I know when my PKI was 2003 the ad servers all autoenrolled, but now that it was rebuilt (completely scrapped) with 2008 I don't get that aunto-enroll...
0
 
ParanormasticCryptographic EngineerCommented:
Did you do the GPO settings from my first posting?  Sorry, I never saw a response from there.  Check through each f the Public Key Policy sections - maybe there is something more in 2008 than I have seen directly in GPO myself that might jump out for you.  Also add to that list the Autoenrollment Settings area and make sure that 'Enroll certs automatically' is enabled.  The two sub-options shouldn't really matter but it is normally advisable to select them.  Follow by bouncing certsvc again and pulsing.
0
 
urobinsAuthor Commented:
I will doublecheck the GPO now.  Thanks!
0
 
urobinsAuthor Commented:
I have that info in the GPO but still not taking.  I rebooted all of my AD servers over the weekend.  Any other ideas?
0
 
ParanormasticCryptographic EngineerCommented:
AD Sites and Services
Highlight the top entry
View - Show Services Node

Services - Public Key Services
Look under these nodes:

- Certification Authorities  // Make sure your root CA shows up

- Enrollment Services   //  Make sure your issuing CA shows up



Also double check that you raised your forest functional level to at least 2003 for your AD forest.

The issuing CA is in the same domain as the DC's in question, correct?
0
 
urobinsAuthor Commented:
Yes the Issuing CA is in the same domain and our Domain has always been 2003 and only.  I will check those locations.  Thanks again!!!

0
 
urobinsAuthor Commented:
Ok, sorry for the delay.  I checked this out and My issuing server shows up under enrollment services and my root shows up under CA.  What is the best way to verify the Forrest functional level?  We have always been 2003 but I'm ready to check anything now... Thanks again for all of your help.
0
 
urobinsAuthor Commented:
I think I might have found something on this.  According to a few articles I found 2008 uses a new GNC that is not compatible with 2003, have you heard this?  From what I read the only way around this is to rebuild and choose not to use the new GNC or to just stick on 2003...  ANy insight on this?
0
 
urobinsAuthor Commented:
That was the issue.  The CA I setup I setup using the new GNC not knowing it was incomatible with previous versions of windows.  I installed the 3 hotfixes I found that mentioned this problem

KB22706
KB938397
KB948963

on one of my AD servers and it pulled a cert after reboot.  I plan on doing the remainder of my CA's this week after some testing.   Thanks for all of your help I do appreciate it.
0
 
ParanormasticCryptographic EngineerCommented:
Ah - yes this does ring a bell from mid-summer...  just the first time I've actually seen it pop up as an issue.  Its not that it was set up with it, but if the root was generated with an unsupported cipher for xp then that would be it.  Vista would have been working fine.

I believe you meant NGC (Next Generation Cryptography) instead of GNC - this includes SHA-2 algorithms, eliptic curve, and a few others.  I believe this can also occur if the CA certs are created with too high of an xp standard rsa cipher like 8192 or something.
0
 
ParanormasticCryptographic EngineerCommented:
For posterity - KB22706 from author's post should be KB922706...
0
 
rkneeshawCommented:
Microsoft has since released yet another hotfix that may be required for those of us deploying a Windows 2008 Issuing CA to Windows 2003 R2 domain controllers:

http://support.microsoft.com/kb/968730
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 11
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now