Certificate Services cannot add a CA certificate to Active Directory
Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.
Enable AD CS to add a CA certificate to Active Directory Domain Services
To enable Active Directory Certificate Services (AD CS) to add the certification authority (CA) certificate identified in the event log message to Active Directory Domain Services (AD DS):
Confirm that the CA has permissions to essential AD DS containers and objects.
Determine if the CA certificate exists in the AIA container.
If it does not exist, publish the CA certificate to the AIA container manually.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
Confirm permissions on essential AD DS containers and objects
To confirm that the CA has needed permissions on AD DS containers and objects within these containers:
On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.
On the View menu, click Show Services Node.
Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties.
On the Security tab, confirm the required permissions.
The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.
Enrollment Services container. The CA computer has Read and Write access to its own object.
AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.
CDP container. The Cert Publishers group has Full Control access on every CA's container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.
Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.
Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.
KRA container. The CA computer has Full Control access on its own object.
OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.
NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.
Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Determine if the CA certificate exists in the AIA container
To view the contents of the AIA container in AD DS:
On a domain controller, click Start, type cmd and press ENTER.
Type certutil -cainfo and press ENTER.
In the output of the command, note the property listed after Sanitized Short Name.
Then, type the following command and press ENTER:
certutil -viewstore ldap:/// CN=<MyCA>,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com>?cACertificate?base?objectclass=certificationAuthority
Replace MyCA with the Sanitized Short Name property from the earlier command and replace contoso and com with the Lightweight Directory Access Protocol (LDAP) distinguished name of your Active Directory root domain.
If the CA certificate does not appear in the AIA container and you have the required permissions, use the following procedure to publish the CA certificate.
Publish a CA certificate manually
To publish the CA certificate manually to AD DS:
On a CA, click Start, type cmd and press ENTER.
For a root CA certificate, type the following command and press ENTER: certutil [-f] -dspublish <CAcert.cer> RootCA
For a subordinate CA certificate, type the following command and press ENTER: certutil [-f] -dspublish <CAcert.cer> SubCA
Replace <CAcert.cer> with the name of a certificate file. The "-f" flag re-creates the object even if it has been deleted.
To check the connection between a CA and Active Directory Domain Services (AD DS):
Open a command prompt window on the computer hosting the CA.
Type nltest /sc_verify: [domainname] and press ENTER.
Use the following procedure to confirm permissions on essential AD DS containers and objects.
Replace [domainname] with the name of the namespace in which the CA is installed.
Confirm permissions on essential AD DS containers and objects
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To confirm that the CA has necessary permissions on AD DS containers and objects within these containers:
On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.
On the View menu, click Show Services Node.
Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties.
On the Security tab, confirm the required permissions.
The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.
Enrollment Services container. The CA computer has Read and Write access to its own object.
AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.
CDP container. The Cert Publishers group has Full Control access on every CA's container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.
Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.
Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.
KRA container. The CA computer has Full Control access on its own object.
OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.
NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.
Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.
| Target | Microsoft.Windows.CertificateServices.CARole.2008 | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event_ID | 106 | ||
| Event Source | Microsoft-Windows-CertificationAuthority | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | High | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
| WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
Home<Rule ID="Microsoft.Windows.CertificateServices.CARole.2008.CertSvcEvents.106" Enabled="true" Target="CS!Microsoft.Windows.CertificateServices.CARole.2008" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">106</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageID4f12f8d124ed4ece99544c9a9730fa37"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>