lubinski Posted July 2, 2008 Share Posted July 2, 2008 Does IIS need to be installed on the CA? Can I run them as separate servers? Link to comment Share on other sites More sharing options...
CoffeeFiend Posted July 2, 2008 Share Posted July 2, 2008 You can have IIS running on any server you please. Link to comment Share on other sites More sharing options...
lubinski Posted July 2, 2008 Author Share Posted July 2, 2008 Thats what I thought. Wasnt sure with the way the web enrollment works. Link to comment Share on other sites More sharing options...
fizban2 Posted July 3, 2008 Share Posted July 3, 2008 IIS will need to be installed on the CA if you want to web enrollment, you cannot host the web enrollment webpage on another IIS box Link to comment Share on other sites More sharing options...
CoffeeFiend Posted July 3, 2008 Share Posted July 3, 2008 IIS will need to be installed on the CA if you want to web enrollment, you cannot host the web enrollment webpage on another IIS boxYou can, but "the computer account must be trusted for delegation in Active Directory" as technet says.We use 3rd party certificate stuff though, never really played much with Windows' own... Link to comment Share on other sites More sharing options...
lubinski Posted July 3, 2008 Author Share Posted July 3, 2008 (edited) I try to request a certificate through web enrollment it says the same. "An unexpected error has occurred: The Certification Authority Service has not been started."It seems to have broke itself??Anyway. I got ssl website to work with user authenticated session certificates. Just the web enrollment broke for some reason.My CA, IIS, and DC servers all have delegation for all services, enabled.I need the web enrollment as a way to get the root ca distributed down. This is a lab environment so I am trying to do it the "right way" Edited July 3, 2008 by lubinski Link to comment Share on other sites More sharing options...
lubinski Posted July 3, 2008 Author Share Posted July 3, 2008 The CA server:here are some recent log entries for the certsvc:-Could not connect to the Active Directory. Certificate Services will retry when processing requires Active Directory access. -The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355). The Active Directory containing the Certification Authority could not be contacted.userenv service errors:-Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. x2 Link to comment Share on other sites More sharing options...
lubinski Posted July 3, 2008 Author Share Posted July 3, 2008 I did some research and it may be that it cant contact the domain dns. So I checked the DC event log and heres what I found:The DNS server was unable to complete directory service enumeration of zone contoso.local. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.? Link to comment Share on other sites More sharing options...
lubinski Posted July 3, 2008 Author Share Posted July 3, 2008 At a dead end. help needed & appreciated. Link to comment Share on other sites More sharing options...
lubinski Posted July 9, 2008 Author Share Posted July 9, 2008 I have begun to think web enrollment is POS either that or IIS take your pick.... Link to comment Share on other sites More sharing options...
CoffeeFiend Posted July 9, 2008 Share Posted July 9, 2008 I have begun to think web enrollment is POS either that or IIS take your pick....I've had exactly 0 issues with IIS as an app & web server. So I think I know which one I'd blame We don't use certificate services in the first place, so I can't really say if it sucks. Link to comment Share on other sites More sharing options...
cluberti Posted July 9, 2008 Share Posted July 9, 2008 It sounds more like DNS and/or AD is busted on that certsrv box, not IIS... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now