Solved

Windows Certificate Authority migration from Windows 2003 to Windows 2008 fails

Posted on 2014-12-12
1
96 Views
Last Modified: 2015-04-22
Source server was Windows 2003 DC configured as an Enterprise CA.  Customer needed to move it off of the DC to Windows 2008 R2 to dcpromo the old server.

I followed all of the steps in the Technet articles and all appeared to go well, however when I tested post restore I received the following error from a client when I attempted to request a cert from a template.  The error was as follows:

Status:Unavailable
The permissions on the certificate do not allow the current user to enroll for this type of certificate.  You do not have permission to view this type of certificate.  

Found no errors in the event log.

When prepping for the migration the Technet doc stated it was sufficient to simply document with a screenshot all of the Templates which is what I did.  I found in another document that stated to use certutil to export a list of templates however it was too late.

Obviously I have missed something but what and how to I fix it without rolling back.  The customer does not want to roll back except as a very last resort.  I did notice the AD has a number of replication errors along with other problems.  Any help would be greatly appreciated.  Thanks.
0
Comment
Question by:ENTPF
1 Comment
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 500 total points
ID: 40497797
You can set the auto-enroll or plain enroll permissions for users or computers with in Certificate Authority/Certificate Templates to allow users to enroll for new certificates:

http://technet.microsoft.com/en-us/library/cc753452.aspx
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question