MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Root CA Migration: Unable to find Root CA Computer Object

Today while migrating root CA from windows 2008 to windows 2012 R2 we faced this issue. This is the first blog on the internet for this error. Let me share more about it.

We backed up the root CA and decommissioned it.

 

Issue:

Now we ran the following command

Install-AdcsCertificationAuthority –CAType EnterpriseRootCA -CertFile “C:\temp\CAname.p12” -CertFilePassword (read-host “Set user password” -assecurestring)

Got the below warning: While migrating root CA we decide to understand the issue and fix every warning.

Warning: Setup could not add the certification authority’s computer account to the cert Publishers Security Group. This Certification Authority will not be able to publish certificates in Active Directory. To fix this, an administrator must manually add the Certification Authority’s computer account to the Cert Publishers security group in Active Directory.  The specified account does not exist. 0x80070525 (WIN32: 1317 ERROR_NO_SUCH_USER)

Setup could not add the certification authority’s computer account to the Pre-windows 2000 Compatible Access Security Group. Certificate Managers Restrictions feature will not work correctly on this Certification Authority. To fix this, an administrator must manually add the Certification Authority’s computer account to the Pre-windows 2000 Compatible Access Security Group on Active Directory. The specified account does not exist. 0x80070525 (WIN32: 1317)

ErrorId ErrorString

1834 Setup could not add the certification Authority’s computer…..


 

Resolution:

This infrastructure is 2 AD site with 180minutes sites replication time. So either you have to wait for 3 hours to replicate changes and other AD site or force AD replication.

We didn’t replication the removed Root CA to 2nd AD site which caused this issue.

To fix this issue we force replicated the deletion of the old Root CA server.

Then uninstalled AD CS from new Root CA.

Then Disjoined the domain.

Restarted the server.

Replicated AD.

Joined the new server to the domain

Replicated AD

Installed AD CS.

Rerun the command

Install-AdcsCertificationAuthority –CAType EnterpriseRootCA -CertFile “C:\temp\CAname.p12” -CertFilePassword (read-host “Set user password” -assecurestring)

And we got success this time.


 

Conclusion:

Remember to add AD replication into your change plan especially when you are dealing with multiple AD sites.

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru

One Response to “Root CA Migration: Unable to find Root CA Computer Object”

  1. Root CA: Migrate From 2008 R2 to 2012 R2 « MSExchangeGuru.com Says:

    […]   « Root CA Migration: Unable to find Root CA Computer Object […]

Leave a Reply

Categories

Archives

MSExchangeGuru.com