Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Certificate publishing to AD question

416 views

Skip to first unread message

ala...@news.postalias

unread,

Dec 6, 2006, 5:50:00 AM12/6/06

Hi,

I tried to publish my standalone root ca's certificate to AD. I issued
the following command:

certutil -dspublish -f msft-ca-01.cer RootCA

Output:

ldap:///CN=LB MSFT ROOT CA,CN=Certification Authorities,CN=Public Key
Services,CN=Services,CN=Configuration,DC=lbank,DC=msft?cACertificate

Certificate added to DS store.

ldap:///CN=LB MSFT ROOT CA,CN=AIA,CN=Public Key
Services,CN=Services,CN=Configuration,DC=lbank,DC=msft?cACertificate

Certificate added to DS store.

CertUtil: -dsPublish command completed successfully.

But when I'm trying to issue the following command:

certutil -dcinfo

output is:

----------------------
0: MSFT-DC-01
1: MSFT-DC-02

*** Testing DC[0]: MSFT-DC-01
** Enterprise Root Certificates for DC MSFT-DC-01
No certs in Ent Root store!
** KDC Certificates for DC MSFT-DC-01
0 KDC certs for MSFT-DC-01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

*** Testing DC[1]: MSFT-DC-02
** Enterprise Root Certificates for DC MSFT-DC-02
Certificate 0:
Serial Number: 0936df9376cc44904c99e5e489fc0398
Issuer: CN=LB MSFT ROOT CA, O=Lietuvos Bankas, S=Lietuva, C=LT,
DC=lbank, DC=msft
Subject: CN=LB MSFT ROOT CA, O=Lietuvos Bankas, S=Lietuva, C=LT,
DC=lbank, DC=msft
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 3b 5c 84 34 48 84 93 d5 bc 9e c4 14 d2 ad a3 7e 79 11 61 d7

** KDC Certificates for DC MSFT-DC-02
0 KDC certs for MSFT-DC-02
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.
-------------

My question is - why my first DC does not have imported certificate in
it's store? Second DC has this certificate in it's store:/

** Enterprise Root Certificates for DC MSFT-DC-01
No certs in Ent Root store!

I did replication.

Thanks.

Carsten Kinder [MSFT]

unread,

Dec 8, 2006, 2:51:44 AM12/8/06

>
> My question is - why my first DC does not have imported certificate in
> it's store? Second DC has this certificate in it's store:/
>

It might be a problem with applying group policies on the first DC.
Have you performed "certutil -enterprise -viewstore Root" to see if the root
certificate is really not there?
There are also some good troubleshooting steps documented in the following
whitepaper:
http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx

--
Carsten Kinder
Microsoft Services

This posting is provided "AS IS" with no warranties, and confers no rights.

0 new messages