Re: [ActiveDir] CertSvc Error **RESOLVED**

[steve patrick]

clarification added to my Yes and No answers...     ----- Original Message ----- From: steve patrick To: ActiveDir@mail.activedir.org Sent: Friday, November 11, 2005 3:29 PM Subject: Re: [ActiveDir] CertSvc Error **RESOLVED** Depends -   If the backup was made on a DC  which was the CA - and it is a  System State backup ( recommended method for CA's ) then Yes ( you will have a problem ) If the backup was made on a DC  which was the CA - and it is the CA database and key(s) then no. ( you will not have a problem ) If the backup was made on a member server CA - no.   ( you will not have a problem )   BTW here was the problem......     Via the certutil -ds output we see:     DomainController     Domain Controller as opposed to what it should look like with the OID specified like:     DomainControllerAuthentication     1.3.6.1.4.1.311.21.8.13579500.10062976.11224470.12361654.16117480.7.1.28     Domain Controller Authentication     The DomainController template should have an attribute for msPKI-Cert-Template-OID - which it does not have.   I was curious - you can end up like this if you upgraded the CA to 2003 before you upgraded the schema to include the 2003 schema.. was this the case?   steve   ----- Original Message ----- From: Harding, Devon To: ActiveDir@mail.activedir.org Sent: Friday, November 11, 2005 12:19 PM Subject: RE: [ActiveDir] CertSvc Error **RESOLVED** When I logged on to the CertServ as a Domain Admin in my child domain and ran certtmpl.msc, it said I needed to be a Domain Admin and Enterprise Admin to publish new templates.  I was an Enterprise Admin, but not a part of the Domain Admins group in the root domain.  I then Logged on as a Domain Admin/Enterprise Admin in the root domain and ran the command which then prompted me to Upgrade the templates.  No more errors.   Now the question is this, can I now restore my CA backup or will this cause a problem?   Thanks all!!!   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Friday, November 11, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CertSvc Error   besides uninstalling the CA and going through all the issues around that, why don't you blow away the templetes? If you run certtmpl.msc after it will ask "This is the first time you have opened Certificate Templetes, would you like to publish them in Active Directory?"  say yes and then you get fresh templates. Then just pick your template and republish it. This doesn't have a horrible effect unless everything is re-autoenrolling at the time you do this.    btw what kind of templates do you have published?   -brandon     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Friday, November 11, 2005 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CertSvc Error Well all the CA’s were backed up before the uninstall.  And no this did not resolve the issue.  When the service is restarted, it states that none of the policies could be loaded; one Event ID 77 warning for each template, like so:   Event Type:       Warning Event Source:    CertSvc Event Category: None Event ID:           77 Date:                11/11/2005 Time:                10:46:04 AM User:                N/A Computer:         SWSAD1 Description: The "Windows default" Policy Module logged the following warning: The EFSRecovery(v2.0): V1 Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).     For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Friday, November 11, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] CertSvc Error   Was this an upgrade from W2K?   What error messages are you receiving on the DC? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 11, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] CertSvc Error   True if running in production -- thanks on the feedback of not needing to do a reinstall ...   Chuck   __________________________________ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.