EivindB
asked on
The DNS name is unavailable and cannot be added to the Subject Alternate name
We have a new Windows 2008 R2 domain controller in a remote site connected by VPN tunnel. All ports open between site and CA.
CA is Windows 2003 SP2 Enterprise CA.
The new DC is in DNS with all server records.
When trying to submit request to CA I get the error
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
I've followed this:
by Richard Hyland
I've tried this:
by minfei
commands run on DC:
command run on CA (produces the error):
NEWDC.inf:
Any help appreciated
-Eivind Brenningen
CA is Windows 2003 SP2 Enterprise CA.
The new DC is in DNS with all server records.
When trying to submit request to CA I get the error
Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Certificate Request Processor: The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
Denied by Policy Module
I've followed this:
by Richard Hyland
I've tried this:
by minfei
commands run on DC:
cscript reqdccert.vbs (script by MS - see first link)
certreq -new NEWDC.inf NEWDC.req
command run on CA (produces the error):
certreq -attrib "CertificateTemplate:DomainController" NEWDC.req
NEWDC.inf:
[Version]
Signature= "$Windows NT$"
[NewRequest]
Subject = "CN=NEWDC.DOMAIN.COM"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
;
; The subject alternative name (SAN) can be included in the INF-file
; for a Windows 2003 CA.
; You don't have to specify the SAN when submitting the request.
;
[Extensions]
2.5.29.17=MDSCEURDLVRSSC0wMS5CRUtLLm5voB8GCSsGAQQBgjcZAaASBBDXwNLlTQHnQrYC
_continue_=GMg5dXe9
Critical=2.5.29.17
;
; The template name can be included in the INF-file for any CA.
; You don't have to specify the template when submitting the request.
;
;[RequestAttributes]
;CertificateTemplate=DomainController
Any help appreciated
-Eivind Brenningen
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Running the "cscript fixdctemplate.vbs domaincontroller" command (script provided by MS in link) solved the problem.
Thank you!
-Eivind
Thank you!
-Eivind
Follow this link: http://support.microsoft.com/kb/931351/en-us