I've built PKI's many times yet this organization's results have me puzzled. Offline Root 2008 R2 Standard 2xEnterprise Subordinate CA's 2008 R2 Enterprise
Installed services, all is good. When I go to add v2, v3 templates they aren't available so I google and discover that in AD Sites & Services under PKI Enrollment Services if I open the properties for either of the enterprise CA's and go to attributes the flags is set to 2. 2 represents an enterprise CA running on Std ed windows (http://sccmguy.com/2011/01/05/after-migrating-your-ca-from-2008-standard-to-enterprise-you-still-can-not-publish-the-sccm-custom-certificates/)
If I change the value to 10 and restart, I can add templates but autoenrollment is not working and I'm getting errors on the CA's to this effect: "The "Windows default" Policy Module logged the following warning: The CAExchange Certificate Template could not be loaded. This function is not supported on this system. 0x80070078"
Same for Computer-2008 and other templates I've created. Autoenrollment is setup correctly in GPO and permissions are good on the templates. Again - done this before so I know those items are ok.
I've backed up one of the Enterprise CA's and uninstalled the role then reinstalled and restored only to come up with the same.
Figured this out myself. Turns out the Enterprise servers that were handed to me to configure PKI were actually built as 2008 R2 Standard servers that were upgraded to Enterprise. I never expected that.
We backed up the CA, wiped the server and reloaded Enterprise fresh, restored the CA and everything is working perfectly!
User contributions licensed under CC BY-SA 3.0