Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

The DNS name is unavailable and cannot be added to the Subject Alternate name

Posted on 2011-02-11
3
Medium Priority
?
12,357 Views
Last Modified: 2012-06-27
We have a new Windows 2008 R2 domain controller in a remote site connected by VPN tunnel. All ports open between site and CA.
CA is Windows 2003 SP2 Enterprise CA.

The new DC is in DNS with all server records.

When trying to submit request to CA I get the error
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module

I've followed this:
by Richard Hyland

I've tried this:
by minfei

commands run on DC:
cscript reqdccert.vbs (script by MS - see first link)
certreq -new NEWDC.inf NEWDC.req

Open in new window


command run on CA (produces the error):
certreq -attrib "CertificateTemplate:DomainController" NEWDC.req

Open in new window




NEWDC.inf:
[Version]
Signature= "$Windows NT$"

[NewRequest]
Subject = "CN=NEWDC.DOMAIN.COM"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
;
; The subject alternative name (SAN) can be included in the INF-file
; for a Windows 2003 CA.
; You don't have to specify the SAN when submitting the request.
;
[Extensions]
2.5.29.17=MDSCEURDLVRSSC0wMS5CRUtLLm5voB8GCSsGAQQBgjcZAaASBBDXwNLlTQHnQrYC
_continue_=GMg5dXe9
Critical=2.5.29.17
;
; The template name can be included in the INF-file for any CA.
; You don't have to specify the template when submitting the request.
;
;[RequestAttributes]
;CertificateTemplate=DomainController

Open in new window



Any help appreciated

-Eivind Brenningen
0
Comment
Question by:EivindB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 34869921
could you try to add the subject alternate name attribute on your CA before requesting your certificate?
Follow this link: http://support.microsoft.com/kb/931351/en-us
0
 
LVL 11

Accepted Solution

by:
Old User earned 2000 total points
ID: 34870021
0
 
LVL 1

Author Closing Comment

by:EivindB
ID: 34870184
Running the "cscript fixdctemplate.vbs domaincontroller" command (script provided by MS in link) solved the problem.

Thank you!

-Eivind
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question