Event Id | 11 |
Source | Cert Server Enterprise Policy |
Description | Warning CA was unable to publish the certificate for the Domain\server. Server is not part of the Cert Publishers group. Privilege violation. |
Event Information | According to Microsoft: Cause: When you install a child domain in an existing domain tree with an enterprise CA already configured, the default permissions on the child domain do not allow the enterprise CA to publish certificates from the child domain. Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. If you have updated from a Windows 2000 domain, you may have to change the group type into a domain local group. They are allowed to do this because they are in the Cert Publishers group, which has write access to the userCertificate attribute on the user object. The problem occurs when a certificate server in one domain tries to issue a certificate to a user in another domain. Resolution: To work around this issue, use one of the following methods: • Manually add the CA computer to the Cert Publishers group on the child domain. This process cannot be performed during Setup because the child domain may not yet exist when the CA is configured.NOTE: This only works in a Windows Server 2003-based environment, not a Windows 2000 environment. • Use the Delegation Wizard to manually add the root domains Cert Publisher group to every user object in the child domain. |
Reference Links | event id11 and source:Cert Server Enterprise Policy: |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.