none
PKI and Child Domain Issues

    Question

  • I have a root ca in my parent Domain. 

    I have a child domain that has some crazy routing issues that i cannot change. 

    I have SUB CA in the child domain.  

    Autoenrollment or manual enrollment via mmc works find in the parent domain.

    Autoenrollment or manual enrollment via mmc will not work in child domain.  (note servers are in one vlan, clients in another, firewall fully open between the 2)

    When I use the default ldap policy for the child domain clients i am curious as to what domain it is looking for? The child client fails when trying to request a cert in the mmc with the default LDAP policy.

    The child clients cannot talk to the root domain but can talk to the child servers without issues. 


    It's not the load that breaks you down it's the way you carry it. ~Lou Holtz~

    Friday, March 30, 2012 12:41 PM

Answers

  • I would go back to doing a network trace. Try it first from a client connected to the root domain subnet and see what communication takes place to obtain the certificate template list. Then repeat the process from a client in the child domain and see where the differences are. The list of templates should be available from any DC as they exist in the configuration NC. It shouldn't be necessary to contact a DC in the root domain, which given the message you are receiving, may be the case.

    Steve G

    • Marked as answer by Bruce-Liu Friday, April 06, 2012 5:48 AM
    Friday, March 30, 2012 7:57 PM

All replies

  • First, have you looked in the firewall log if any packets to or from CA in child domain are blocked?
    You write that the firewall is fully open, still verify the firewall log. Please explain "crazy routing issues"

    Is it a Windows 2008 R2 Enterprise issuing CA in the child domain?

     


    www.twitter.com/danielullmark

    Friday, March 30, 2012 1:06 PM
  • I have the firewall on the servers and the clients turned off. 

    The clients sit on a 172 subnet (i cannot change) child servers sit on a 10.23.0.0 network. 

    root is on another 10.2 network. 172 can talk to 10.32 but not 10.2. 10.2 can talk to 10.32 with no issues. 

    The root ca is on 10.2 and sub is on 10.32. 

    I am curious if the client is looking for the subordinate ca or the root ca.  When I try to enroll it says the domain cannot be found or contacted.


    It's not the load that breaks you down it's the way you carry it. ~Lou Holtz~


    Friday, March 30, 2012 3:08 PM
  • Hi, Robert,

    The enrolment process happens in two stages: initially a client will need to talk LDAP to any domain controller in the forest to obtain a list of certificate templates, then once the template is chosen, the enrolment is done via RPC/DCOM.

    Is your client successfully retrieving a list of certificate templates, or does it fail when the template is selected?

    Steve G

    Friday, March 30, 2012 5:33 PM
  • It shows me the Enrollment Policy with Active Directory Enrollment Policy then click next and it fails with enrollment error. The specified domain either does not exist or could not be contacted.  

    I know the client can see the domain controller in the 10.32 subnet as i have done a network mon and it shows it sending and receiving packets from the DC, (one of which is the CA)


    It's not the load that breaks you down it's the way you carry it. ~Lou Holtz~

    Friday, March 30, 2012 5:45 PM
  • Hi, Robert,

    A few quick questions:

    1. Are the certificate templates published at both the root CA and the child CA (I'm assuming the root CA is online)?

    2. What is the Active Directory site and subnet configuration of the affected clients and servers?

    3. Open Active Directory Sites and Services, select View / Show Services Node from the menu, expand Services, expand Public Key Services, then click on Enrollement Services. Right-click the child CA in the right-hand pane and select Properties and click the Attribute Editor tab [1]. Can you see the certificate templates you are expecting in the certificateTemplates attribute?

    [1] I'm assuming you are using Windows Server 2008 R2. If not, you may have to do step 3 using ADSIEdit or LDP.

    Steve G

    Friday, March 30, 2012 7:10 PM
  • yes all of the templates are there.


    It's not the load that breaks you down it's the way you carry it. ~Lou Holtz~

    Yes it is R2

    The clients and child servers are in the same site.  the root server is in another site. It is online. 
    Friday, March 30, 2012 7:32 PM
  • I would go back to doing a network trace. Try it first from a client connected to the root domain subnet and see what communication takes place to obtain the certificate template list. Then repeat the process from a client in the child domain and see where the differences are. The list of templates should be available from any DC as they exist in the configuration NC. It shouldn't be necessary to contact a DC in the root domain, which given the message you are receiving, may be the case.

    Steve G

    • Marked as answer by Bruce-Liu Friday, April 06, 2012 5:48 AM
    Friday, March 30, 2012 7:57 PM
  • I will be testing again on Monday.  I will let you know if I see anything.  I did a trace before and it did query all of the domain controllers in the root domain. They did not reply.(they have no connectivity) I have changed some settings but the clients will not  be back online till Monday.  I will update this when I have more information.

    It's not the load that breaks you down it's the way you carry it. ~Lou Holtz~

    Friday, April 06, 2012 1:56 PM