Domain Controllers group not reflected in domain controllers credentials

Posted by Molotch on Server Fault See other posts from Server Fault or by Molotch
Published on 2011-01-11T15:16:40Z Indexed on 2011/01/11 15:55 UTC
Read the original article Hit count: 819

Filed under:

active-directory

|

domain-controller

|

kerberos

I set up a small testlab in vbox consisting of four servers. Two domain controllers dc01, dc02, one offline root ca and one online enterprise sub ca, ca01.

All servers are based on Windows Server 2008 R2 Standard.

Everything works as excpected except one thing. If I issue a certificate template with read, enroll and autoenroll rights to the security group "domain controllers" it does not let dc01 or dc02 to enumerate or enroll for the certificate.

I've restarted both domain controllers several times to update their credential tokens with the correct group memberhips.

So I added dc01 to the "domain computers" group and gave that group read, enroll and autoenroll rights in the template, bam, the certificate was issued.

So my question is, why isn't the domain controllers group memberhips reflected in the domain controllers (dc01 and dc02) credentials?

Can I view the computers credentials somehow and how should I go about trying to resolve the issue?

© Server Fault or respective owner

Related posts about active-directory

Can't join OS X Mavericks to AD Domain

as seen on Server Fault - Search for 'Server Fault'
I'm attempting to join an OS X Mavericks (10.9) client to a Windows Server 2008 Active Directory domain, however the bind fails with this error in the OS X client's system.log: Oct 24 15:03:15 host.domain.com com.apple.preferences.users.remoteservice[5547]: -[ODCAddServerSheetController handleOtherActionError:… >>> More
Retrieve user details from Active Directory using SID

as seen on Server Fault - Search for 'Server Fault'
Hi, How can I find a user in my AD when I have his/her SID. I don't want to rely on other attributes, since I am trying to detect changes to these. Example: I get a message about a change to user record containing: Message: User Account Changed: Target Account Name: test12 Target… >>> More
Retrieve user details from Active Directory using GUID

as seen on Server Fault - Search for 'Server Fault'
Hi, How can I find a user in my AD when I have his/her GUID. I don't want to rely on other attributes, since I am trying to detect changes to these. >>> More
Retrieve user details from Active Directory using GUID [closed]

as seen on Super User - Search for 'Super User'
Hi, How can I find a user in my AD when I have his/her GUID. I don't want to rely on other attributes, since I am trying to detect changes to these. >>> More
Office365 DirSync Active Directory Integration

as seen on Server Fault - Search for 'Server Fault'
I am preparing to deploy Office365 for my organization. We have an on premise Active Directory Domain Controller (Windows Server 2012 R2). We would like to leverage our Active Directory for: automatic user provisioning in Office365, and password synchronization, using the DirSync tool. Our Active… >>> More

Related posts about domain-controller

Windows Clients: Windows or Linux Domain Controller?

as seen on Server Fault - Search for 'Server Fault'
I'm planning to set up a domain controller for our small computer laboratory. I'm a little confused as to what operating system to use for our domain controller. What's in the lab: The lab has 25 units running a mix of Windows 7 and Windows XP. The domain controller will only have 2GB of RAM running… >>> More
Why does a Domain Controller have a public IP

as seen on Server Fault - Search for 'Server Fault'
Just wondering why a Domain Controller has a public IP address? >>> More
Multi-Role Domain Controllers for Small Offices (< 50 clients)

as seen on Server Fault - Search for 'Server Fault'
Warning: I'm a Linux/*NIX admin so this is all new to me. I understand that it's not considered a good idea to have only a single domain controller, and that it is also probably a good idea for a domain controller to only do AD/DHCP/DNS (Here). We have two offices, location A with 30 users and location… >>> More
Can't add client machine to windows server 2008 domain controller

as seen on Server Fault - Search for 'Server Fault'
A bit of background before I dive into the gritty details: I have a single server running Windows 2003 Server where I host my ASP.net website and SQL Server + Reports. I've been creating ordinary windows user accounts to authenticate my users, and I enabled integrated windows authentication with… >>> More
Windows 2003 Domain Controller Very Upset about NIC Teaming

as seen on Server Fault - Search for 'Server Fault'
I set up BACS (Broadcom Teaming) to team two NIC on a Windows 2003 Active Directory Domain Controller. Networking still works okay, I can ping the gateway etc, but both DNS and Active Directory fail to start with various 40xx errors. The team that I created is Smart load Balancing with Failover… >>> More