Error message

Notice: Undefined index: localized_options in menu_navigation_links() (line 1861 of /net/council/home/www/drupal/includes/menu.inc).

Fixing up a broken Microsoft CA (missing CA templates) after migrating to Server 2008

Had to do this one today, here's my entry so maybe I can remember it.

Firstly, the bulk of this information came from this post

http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/1...

Suggestion 1 in that post comes from a 'MS MVP' and says 'Don't migrate this way, it is not supported my MS', which is useless for those of us who don't want to rebuild the CA from scratch. Then, one 'Miles Li' follows up with some useful information for those of us who had to do it this way even though it 'is not officially supported.' So, thank you SO much to Miles Li here and I can't imagine how he managed to fix up these nasty details in ADDS himself, but THANK YOU!

Here is the useful section as according to him!

Please make sure that migration is supported according to the Microsoft Knowledge Base article 298138:

How to move a certification authority to another server
http://support.microsoft.com/kb/298138

To the particular Event 44 Certsrv "Element not found" error, please check the following

1. Verify the "Authenticated Users" have Read Permissions to the following location:

"cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=,dc="

283218 A Certification Authority Cannot Use a Certificate Template
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283218

2. Check whether there is a pKIEnrollmentService Object at the following location:

"cn=,cn=Enrollment Services,cn=Public Key Services,cn=Services,cn=Configuration,dc=,dc="

If you are missing this AD Object then follow the below steps:

a) Right clicked on "CN=Enrollment Services" then selected "New" then "Object"
b) We selected the object class of: "pKIEnrollmentService"
c) For Attribute "cn" we gave it the name of the Certification Authority then clicked "Next"
d) Then clicked on "Finish"
e) We then Right clicked on the new "pKIEnrollementService" object and selected "Properties"
i. cACertificateDN= This from the "Subject" field the the CA’s Certificate.
ii. cACertificate - We got the information for this attribute by looking at another object that had the field defined within Active Directory.

You can look at the following location for the CA Certifcate Object:

"cn=,cn=Certification Authorities,cn=Public Key Services,cn=Services,cn=Configuration,dc=,dc="

iii. displayName = "" - We named this the same as the CA’s name.
iv. dNSHostName = The Servers DNS name.
v. flags = See NOTE below

NOTE: The Flags attribute needs to be configure for the Type and OS version of the CA. Here are basically the different valid flags settings:

Enterprise CA running on Standard Edition of the Operating System: "2"
Enterprise CA running on Enterprise Edition of the Operating System: "10"
Standalone CA running on Standard Edition of the Operating System: "5"
Standalone CA running on Enterprise Edition of the Operating System: "9"

f) Make sure that the CA's computer object has Full Control to this object via the Security Tab.
g) We then clicked OK.

My additional notes are that:
* After completing the steps and restarting the CA such that it no longer complains about error with big red 'X', the template list is empty still. So, rClick and add the templates into the list such that it is no longer empty
* Still, after doing this it did not work immediately, but eventually it started working (the error was still showing 'no certificate templates available' when going to advanced certificate request in web certsrv interface)
** AD DS replication lag (should be short, <5 mins between the DCs where i was testing?)
** The reboot(s) did help to some degree (after 2 reboots the error was the same both times.... but maybe it helped?)
** I deleted the 'Certificate Templates' list I mentioned populating just above, and repopulated, maybe after a reboot or some restarting of services the population of the list helped?
** Perhaps it was web browser-caching issues, but that shouldn't be right and I was using 2 computers to test... so unlikely
** Finally, I did some of the troubleshooting found here, but I SWEAR I did only the diagnostic stuff to get output to text files for inspection, I changed NOTHING that is mentioned in this document, just verified stuff
http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-...

So, I'm not sure. The initial problems came when I tried to submit a specific request to facilitate fixing of another error I am going to blog about if I fix it up. It involved submission to the local domain CA via the 'advanced request' interface of the web '/certsrv' extentions that are available as part of the CA service. This is what got me into 'missing template' messages and how I ended up following this info to fix. I am not claiming to know the exact details of how this went wrong or how what I fixed helped the systems across the board.