In short, a Certificate Template I want to use is not available for enrollment.
The template in question is a copy of the "RAS and IAS Server" template. What's frustrating is that I've gotten this to work during testing, but on production the cert is not available. The only difference between the two is that the production environment was upgraded from a 2003 to 2008r2 forest functional level. No CA before the upgrade.
Here are the general steps I used on both setups (done with the Administrator account):
- Install the AD CS role (on a DC)
- Copy the RAS and IAS Server template.
- Rename to "Wireless Template" Assign RAS and IAS Servers permission to Enroll / Autoenroll.
- Enable "Wireless Template" on the CA Using mmc, enroll the Certificate to Local Certificates
Here's where it's inconsistent, on the lab server, the "Wireless Template" was available for enrollment. The production server gives me a permission denied message. I will admit that I may have missed some steps while trying to reproduce this on the production server. Both servers are 2008r2 enterprise, with the DC and NPS roles installed.
Best Answer
You cannot request a computer certificate on a domain controller, you can only request the domain controller certificate and a couple others fyi