CA Issue after AD 2008 move - Template info could not be loaded - Element Not Found

I've searching forums everywhere for an answer!

I'll start from the top.

We recently migrated from 2003 32bit to 2008 64bit on our domain controllers. We backed up and restored the CA when we did this. Now we are having issues with Certificate Templates and AutoEnrollment. The server that we're trying to get a Cert renewal for is our Office Communication Server running on Windows Server 2003 32bit.

I also have 3 events pertaining to the issue.


- System


    - Provider

      [ Name] Microsoft-Windows-CertificationAuthority
      [ Guid] {6A71D062-9AFE-4F35-AD08-52134F85DFB9}
      [ EventSourceName] CertSvc
 
    - EventID 44

      [ Qualifiers] 49754
 
      Version 0
 
      Level 2
 
      Task 0
 
      Opcode 0
 
      Keywords 0x80000000000000
 
    - TimeCreated

      [ SystemTime] 2010-04-15T18:14:55.000000000Z
 
      EventRecordID 1461
 
      Correlation
 
    - Execution

      [ ProcessID] 0
      [ ThreadID] 0
 
      Channel Application
 
      Computer DC1.Domain.com
 
    - Security

      [ UserID] S-1-5-18
 


- EventData


    PolicyModuleDescription Windows default
    MethodName Initialize
    ErrorCode 0x80070490 (1168)
    param4 Active Directory Certificate Services could not find required Active Directory information.
    ErrorString Element not found.

 

THEN


- System


    - Provider

      [ Name] Microsoft-Windows-CertificationAuthority
      [ Guid] {6A71D062-9AFE-4F35-AD08-52134F85DFB9}
      [ EventSourceName] CertSvc
 
    - EventID 53

      [ Qualifiers] 33370
 
      Version 0
 
      Level 3
 
      Task 0
 
      Opcode 0
 
      Keywords 0x80000000000000
 
    - TimeCreated

      [ SystemTime] 2010-04-15T16:12:23.000000000Z
 
      EventRecordID 1442
 
      Correlation
 
    - Execution

      [ ProcessID] 0
      [ ThreadID] 0
 
      Channel Application
 
      Computer DC1.Domain.com
 
    - Security

      [ UserID] S-1-5-18
 


- EventData


    RequestId 19
    Reason Element not found. 0x80070490 (WIN32: 1168)
    SubjectName CN=ocs01.Domain.com, OU=Domain, O=County, L=City, S=State, C=US
    AdditionalInformation Denied by Policy Module 0x80070490, Active Directory Certificate Services could not find required Active Directory information. Resubmitted by Domain\Administrator

And Then

 


- System


    - Provider

      [ Name] Microsoft-Windows-CertificationAuthority
      [ Guid] {6A71D062-9AFE-4F35-AD08-52134F85DFB9}
      [ EventSourceName] CertSvc
 
    - EventID 77

      [ Qualifiers] 33370
 
      Version 0
 
      Level 3
 
      Task 0
 
      Opcode 0
 
      Keywords 0x80000000000000
 
    - TimeCreated

      [ SystemTime] 2010-04-15T16:12:23.000000000Z
 
      EventRecordID 1441
 
      Correlation
 
    - Execution

      [ ProcessID] 0
      [ ThreadID] 0
 
      Channel Application
 
      Computer DC1.Domain.com
 
    - Security

      [ UserID] S-1-5-18
 


- EventData


    PolicyModuleDescription Windows default
    WarningMessage The Active Directory connection to DC1.Domain.com has been reestablished to DC1.Domain.com .
netlvAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
During the migration you created a new CA, correct?  Or are you still using the original cert?  If the CA was migrated instead of a new one put up, does the old CA and new CA both have the same CAName and installed on a box with the same machinename as the old?

On the CA, run this & post back what it returns:
certutil -getreg ca\CAType

From any domain connected box, open AD Sites & Services - View - Show Services Node
Expand Services - Public Key Services
Check the following:
Certificate Templates - make sure they are all listed.
Certification Authorities - make sure your root cert is listed
Enrollment Services - make sure your issuing CA that is issuing Autoenrollment certs is listed

If you just need to re-create the templates, try opening CertTmpl.msc - if there are not templates in AD then that should detect that and populate AD upon opening by an Enterprise Admin.
0
netlvAuthor Commented:
I created the new CA and restored the old CA info from Backup.
The machine name is different but the CA name is the same.

The Results are:

CATYpe REG_DWORD = 0
ENUM_ENTERPRISE_ROOTCA -- 0

The templates are there
The CA is listed
BUT there is nothing in Enrollment Services
0
ParanormasticCryptographic EngineerCommented:
You need to alias the box to the old machine name if you restored the old one from backup.

This article is written for a DC, but the general idea is the same:
http://support.microsoft.com/kb/555012

Note that this requires that the old machine name not be in use anymore by another system on the network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

netlvAuthor Commented:
Thanks. I'll trying this tonight and I'll post back with the results.
0
netlvAuthor Commented:
What I did was backup the the CA on DC01 and moved ADCS over to the DC02. The original ADCS was on DC02. We moved it DC01 to take out and replace DC02 with Server 2008R2. After moving it back, everything is working correctly.

It never occurred to me that the server name was part of the CA. Nor were there any any signs that it was the problem. Thanks for the help!
0
TursaAdminCommented:
I had this exact same error on Server 2008 on the root CA. Element not found on the template folder. Don't know what caused it, it was working some time ago and only found it not working by chance. The subCAs don't have the problem on their template folders.
 The effect is the the root CA will not renew any certs for the Subordinate CAs and subCAs will not issue a cert with a life time beyond their own. With onyl a week of life left on the subCA cert this was quickly becoming a serious issue.
 Even though the root cert had plenty of life left I found that renewing the root CA fixed the problem. Don't understand why, but the root CA template folder shows the list of templates and now renews the subCA certs as expected.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.