Configure Second IAS-Radius in WS2003EE

I had a redundant server pair and added Wireless WPA-TKIP using IAS-EAP with
Certificate.

Following the Word document "Step-by-Step guide for Setting Up Secure
Wireless Access in a TestLab" the PDC went like a charm and my wireless
laptops get secure Internet out of thin air (auto enroll)!

Wanting redundancy, I tried to do enable my secondary domain controller as
RADIUS server and just can not get a certificate from the enterprise root CA
on the PDC. Second DC can successfully obtain user certificates. The PDC can
see stored certificates on the Secondary DC.

Symptoms:
Auto-enrolling Domain Controllers give Event Source: AutoEnrollment, Event
ID: 13 "Automatic certificate enrollment for local system failed to enroll
for one Domain Controller certificate (0x80070005). Access is denied."

Starting Certificate for local computer, Request certificate, DOmain
controller etc. gives: The certificate request failed because of the
following conditions:
- The vcertificate request was submitted to a Certification Authority (CA)
that is not started
- Yu do not have the permissions to request certificates from the
available CAs.

The CA knows nothing of the requests.

How do I troubleshoot? Do I need separate certificates?

Grateful for any wisdom!
-Harry

"=?Utf-8?B?SGFycnk=?=" <(E-Mail Removed)> wrote in
news:3DFCBDA4-1160-47C3-93D9-(E-Mail Removed):

> I had a redundant server pair and added Wireless WPA-TKIP using
> IAS-EAP with Certificate.
>
> Following the Word document "Step-by-Step guide for Setting Up Secure
> Wireless Access in a TestLab" the PDC went like a charm and my
> wireless laptops get secure Internet out of thin air (auto enroll)!
>
> Wanting redundancy, I tried to do enable my secondary domain
> controller as RADIUS server and just can not get a certificate from
> the enterprise root CA on the PDC. Second DC can successfully obtain
> user certificates. The PDC can see stored certificates on the
> Secondary DC.
>
> Symptoms:
> Auto-enrolling Domain Controllers give Event Source: AutoEnrollment,
> Event ID: 13 "Automatic certificate enrollment for local system failed
> to enroll for one Domain Controller certificate (0x80070005). Access
> is denied."
>
> Starting Certificate for local computer, Request certificate, DOmain
> controller etc. gives: The certificate request failed because of the
> following conditions:
> - The vcertificate request was submitted to a Certification
> Authority (CA)
> that is not started
> - Yu do not have the permissions to request certificates from the
> available CAs.
>
> The CA knows nothing of the requests.
>
> How do I troubleshoot? Do I need separate certificates?
>
> Grateful for any wisdom!
> -Harry
>

Hi Harry --

After installing IAS on the second DC, did you add the IAS server to the AD
group "RAS and IAS servers"? Once you do that and you refresh group policy,
I believe that the server certificate should be installed. Once it is
installed, you can go into the IAS console, add RADIUS clients and create a
remote access policy that uses the cert for PEAP authentication.

If the cert is not visible in the IAS console, then either the cert was not
originally configured properly or it did not autoenroll. If you have that
problem, let me know and I will work through it with you next week.

But the main thing is making sure the IAS server is registered in AD by
adding it to the group.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.