Share via

Child Domain Account unable to enroll certificate from Enterprise CA in Root domain

Danish Batliwala 0 Reputation points
2024-07-20T11:57:36.88+00:00

I have a child domain account which is unable to enroll the certificate from the CA server in Root domain. The enrollment error is as follows: -

User's image

I followed all the microsoft documents and all permissions and firewall related settings are in place so no issues with that. However, when I checked the Eventlog on CA server, I found the logon failure log right at the time of enrollment for that user account.

User's image

The error code means STATUS_DOMAIN_TRUST_INCONSISTENT.. This account is able to login to other domain member servers which are in same domain as the CA server

Please help

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,655 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 12,420 Reputation points Microsoft Vendor
    2024-07-22T08:46:42.4966667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Based on the information you've provided, it seems like the issue might be related to a trust relationship between the child domain and the root domain. The error code STATUS_DOMAIN_TRUST_INCONSISTENT usually indicates that there's a problem with the trust relationship between the two domains. Here are a few suggestions:

    1. Check the Trust Relationship: Verify the trust relationship between the child domain and the root domain. You can do this by using the Active Directory Domains and Trusts snap-in. If the trust relationship is broken, you might need to re-establish it.
    2. Check the User Account: Make sure that the user account in the child domain has the necessary permissions to request a certificate from the CA server in the root domain.
    3. Check the CA Server: Ensure that the CA server is configured to issue certificates to user accounts in the child domain. You might need to modify the certificate templates or the CA server's policy settings.
    4. Check the Network Connectivity: Verify that there's no network connectivity issue between the child domain and the root domain. You can do this by using the ping command or the tracert command.
    5. Check the Event Logs: Look for any related error messages or warnings in the Event Viewer on the CA server and on the domain controller in the child domain. This might give you more information about the problem.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.