AD Certificate Services: Can't publish Certificate to AD: Insuffcient access

Background: DC1: 2008 R2, DC2: 2012 R2, Forest/Domain Level: 2008 R2.  Existing 2008 Two Tier CA installed.  New Install in parallel of 2012 R2 Two Tier CA.  So I currently have two different CAs installed (Old 2008 CA, New 2012 R2 CA).   I can issue certificates from the new 2012 R2 Sub-CA however they are not being published in AD.

Looking at the Event log on the 2012 R2 Sub-CA, I have the following:  Event ID 80
Active Directory Certificate Services could not publish a Certificate for request 11 to the following location on server DC2.domain.com: CN=Craig,OU=Employee,DC=domain,DC=com.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS).
ldap: 0x32: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Looking at PKIView > Manage AD Containers > Certification Authorities Container:  I see the 2008 Root CA and an expired 2008 Sub CA certificate however I do not see the new 2012 R2 CAs listed.  In the other tabs the 2012 R2 Sub-CA is listed where appropriate.
NOTE:  When I first checked PKIView I found an error associated with the DeltaCRL Location #2 which has been resolved.  I had a typo in the http url.

I checked some basic permissions which appear to be correct and ran certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FL
AG,  however I seem to be stuck with this error.

Thanks...
LVL 1
DigitalInfuzionAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Raymond PengSystems EngineerCommented:
Are you an enterprise administrator or domain admin only? I believe you need to be an enterprise admin for new CA / cert publishing.
DigitalInfuzionAuthor Commented:
Thanks for the suggestion.  I have verified that the account I used to setup the CA is in the  Domain Admins, Enterprise Admins and Schema Admins groups.  
I wonder if the old CA is taking precedence over the new CA, can I only have 1 CA used within AD at a time?  Eventually I will be removing the old 2008 CA however I need the new 2012 R2 one to work completely before I can do that.
DigitalInfuzionAuthor Commented:
I fixed the  PKIView > Manage AD Containers > Certification Authorities Container issue by adding the root certificate via the CMD (As Admin): certutil -f -dspublish Root-CA.cer RootCA

Though the CA still is not publishing user certificates to AD DS.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DigitalInfuzionAuthor Commented:
After having someone review the configuration/permissions/etc (which were correct), we rebooted the Sub-CA which fixed the problem.  Now when I issue a certificate it get published into AD.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DigitalInfuzionAuthor Commented:
Found fix.
Ricky ChandCommented:
I had spent so much time trying to figure out what to do with these errors and it was just a matter of a reboot. thanks guys :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.