Enterprise CA option is greyed out / unavailable

Many times, when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:





Well, you need to fulfill basic requirements:
  • Server machine has to be a member server (domain joined).
  • You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /12/R2/ Editions. 
  • In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting).

If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly:
  • First of all, carefully check all above requirements.
  • Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA.
  • Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain.
  • Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing
    whoami /groups.
  • You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked.
  • View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct.
  • Don’t forget to check event viewer on CA Server side and look for red lines.
  • Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run
    nltest /sc_verify:DomainName
  • Check also whether Server CA is connected to a writable Domain Controller.
  • Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers.
If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server.

Comments

Post a Comment

Popular posts from this blog

Java Control Panel Icon "Application Not Found"

Image
Howto: Fix the "Application not found" error in the Java Control Panel icon. These same steps may be useful for other malfunctioning Windows Control Panel icons. In Windows 7, the Java Control Panel icon may be damaged / corrupted. Attempting to launch the icon results in "Explorer.exe : Application not found". Note the generic icon: When working properly, the circled icon should look like this: This problem appears to be an artifact from previous JRE installations and Sun's installation routines were flawed. Re-installing JRE (the Java Runtime Environment) does not resolve the problem. Immediate workaround: If needed, the Java Control Panel can be manually launched using this location: C:\Program Files (x86)\Java\JRE6\bin\Javacpl.exe As a side note, when launching, other-mouse-click the .exe and choose "Run as Administrator".  Running as Administrator resolves a bug where changes in the Control Panel (especially Auto-update changes) do not stic
Read more

Unable to connect to Wireless profile being pushed using GPO

Image
Today , some laptop users started reporting as they are unable to connect to ‘Wireless profile’ after SCEP installation has taken place. I found, most of the laptop users were having this issue. I immediately uninstalled SCEP but that didn’t help , tried removing Wi-Fi profiles under the path ‘C :\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\ Interface’ but that didn’t help too. Error - When checking event viewer, the only error that showed up is as follows 5 times in a row.          “Error skipping EAP method DLL path name validation failed. Error: typeId=25, authorId=0,vendorId=0,vendorType=0”, This error indicates a registry or missing corrupt file issue. ‘ EAPHost is a Microsoft Windows Networking component that provides an Extensible Authentication Protocol (EAP) infrastructure for the authentication of following protocols such as   802.1X   and   Point-to-Point (PPP). Cause - Symantec didn’t uninstall properly caused this issue. Resolution – After chec
Read more