Share via


Event ID 93 — AD CS Active Directory Domain Services Connection

Applies To: Windows Server 2008 R2

Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.

Event Details

Product: Windows Operating System
ID: 93
Source: Microsoft-Windows-CertificationAuthority
Version: 6.1
Symbolic Name: MSG_CA_CERT_NO_IN_AUTH
Message: The certificate (#%1) of certification authority %2 does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. The directory replication may not be completed.

Resolve

Ensure that AD CS can publish the CA certificate to the NTAuth store

To resolve this problem:

  • Confirm permissions on the NTAuth store.
  • Check the NTAuth store and, if necessary, publish the certification authority (CA) certificate manually.

If you have trouble locating the CA certificate in order to publish it to the NTAuth store, use the procedure in the "Locate the CA certificate file on a computer" section before publishing it to the NTAuth store.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm NTAuth store permissions

To check the permissions of the CA on the NTAuth container:

  1. On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. Click Active Directory Sites and Services [domainname]  where [domainname] is the name of your domain.
  3. On the View menu, click Show Services Node.
  4. Double-click Services, double-click Public Key Services, right-click NTAuthCertificates, and click Properties.
  5. Click the Security tab, and then confirm that the computer hosting the CA has Read permissions.

Confirm contents of the NTAuth store

To check the contents of the NTAuth store in Active Directory Domain Services (AD DS):

  1. At a command prompt, type certutil -viewstore ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com> and press ENTER.

    Replace <contoso> and <com> with the namespace of your Active Directory root domain.

  2. If the CA certificate is not listed in the output, add it manually by typing the following command: certutil -dspublish  <cert.cer> ntauthca and pressing ENTER.

    Replace <cert.cer> with the CA certificate file.

Locate the CA certificate file on a computer

To locate the CA certificate file on the local file system:

  1. Open a command prompt window.
  2. Type certutil -getreg CA\CACertPublicationURLs and press ENTER.

By default, this file is stored in %systemroot%\system32\certsrv\certenroll.

Verify

To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.

To check the connection between a CA and Active Directory Domain Services (AD DS):

  1. Open a command prompt window on the computer hosting the CA.
  2. Type nltest /sc_verify: [domainname] and press ENTER.
  3. Use the following procedure to confirm permisssions on essential AD DS containers and objects.

Replace [domainname] with the name of the namespace in which the CA is installed.

Confirm permissions on essential AD DS containers and objects

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To confirm that the CA has necessary permissions on AD DS containers and objects within these containers:

  1. On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.
  3. On the View menu, click Show Services Node.
  4. Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties.
  5. On the Security tab, confirm the required permissions.

The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.

  • Enrollment Services container. The CA computer has Read and Write access to its own object.
  • AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.
  • CDP container. The Cert Publishers group has Full Control access on every CA's container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.
  • Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.
  • Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.
  • KRA container. The CA computer has Full Control access on its own object.
  • OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.
  • NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.
  • Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.

AD CS Active Directory Domain Services Connection

Active Directory Certificate Services