Active Directory Certificate Services 2012 R2 post installation help

Ryan Mignosa
Ryan Mignosa used Ask the Experts™
I have a new Enterprise Root certificate server and need assistance configuring it.  Other than installing the certificate authority and CA web enrollment roles not much else has been done.  All installation guides and videos end at the completion of the role installations.  I know there's got to be more to do from application security,  AD changes, and IIS security.

Currently i'm unable to browse to the website outside the server to request certificates.  Also if I run through the certificate enrollment wizard on a server I can't see the new server by default and when I check the box to show all enrollment servers it says "you do not have permission to request certificates from this certification authority (CA).  The permissions on this certification authority do not allow the current user to enroll for certificates."

I'm a member of the domain admins and enterprise admins groups.

Lastly this server stands side by side with another Root CA.  The current production CA is windows server 2003 and needs to be retired.
Once I get the new CA working and tested the old will be decommissioned.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Lead Technical Consultant
Please go through the following article for configuring root enterprise CA for AD forest Windows 2012 server.  the below link provides step by step to configure Root CA, Standalone, and few other roles.

This guide provides step by step stand alone two tier root ca :

If you need step by step with snapshot for configuring root ca :

A youtube video
Ryan MignosaSystems Engineer


Thank you for the links provided Ganesh

What really helped was the portion that spoke about how long it takes for new templates to be available for use.
This is what happened in my case.  After configuring the new root CA I immediately started testing.  Unfortunately I couldn't see the new root CA from the client enrollment wizard or it was greyed out.  I tried this for 2-3 hours and finally went home.
When I got into the office the next morning I found that all my domain controllers had auto-enrolled and I was able to create a cert using the wizard.

Thanks again
Ganesh AnandLead Technical Consultant

Yes you are right, it takes time to auto enroll. Also if you want to speed up, you need to restart the root CA. I am glad your problem is resolved. Good Luck to you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial