This is a Windows 2003 SP1/Windows XP SP2 native Active directory domain
with two sites.
I have a two tier PKI infrastructure, a standalone root CA servicing a
enterprise subordinate CA. I recently had to renew my sub CA certificate.
This occurred without incident, as did the autoenrollment feature on the
other computers in my LAN. However autoenrollment is failing on the
computers in the other site. The other site has a single domain controller
and XP machines connected via VPN tunnel (Netscreen devices).
I looked at the packet dumps and it is failing on port 135 connections.
The standard SYN, SYN/ACK, ACK works fine and a connection is established on
port 135 between the computer in the other site (for this case the domain
controller) and the enterprise subCA. Then a BIND request is initiated,
followed by a bunch of TCP retransmissions. The request eventually times
out with a "Certificate Request Failed, you do not have permissions to
request certificates from the available CAs"
I would like to solve the above problem, but I have a more immediate need of
manual certificate renewal, since these certificates expire on July 7th.
What would be the command to request certificates manually on the subCA
itself? I need the "IPSec" "Domain Controller" and "Domain Controller
Authentication" certificates for computer "xxx.domainname.local"
Thanks in advance!
Edward Ray
|
Similar Threads
Linear Mode
