Certificate Authority Role grayed out post deployment

Question

I pretty much have the same issue described on this post, but no clear view on how it was fixed. This is not a new role install, a former admin previously installed it. happening on four servers, two on its own separate domain.

https://social.technet.microsoft.com/Forums/windows/en-US/ab602e23-f908-45d3-84f0-c066bc2d314b/cannot-reconfigure-certificate-authority-role-option-grayed-out?forum=winserver8gen

On server manager, I get a yellow flag to configure active directory certificate services on the destination server; I go through the credentials, hit next, then the checkmarks are grayed out, and no way to click next or configure. The only option is to go previous or cancel.

Answer 1

Hi,
First of all, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain in order to install an Enterprise CA.

Or you can check if the same issue as the following one:
https://social.technet.microsoft.com/Forums/Windows/en-US/fc51410d-46db-4df9-a9c8-b67af4eea888/active-directory-certificate-services-post-config-issue?forum=winserversecurity

If still can't find the reason, you can check out the c:\windows\certocm.log file. It will give you details on what went wrong .

Best Regards,

Answer 2

Also found that thread and the servers aren't using work folders

this is the latest error on certocm.log

402.478.948: Begin: 3/24/2021 9:19 AM 03.214s
402.483.0: wsmprovhost.exe
402.491.0: GMT - 4.00
104.138.0: certca.dll: 10.0.14393.3053 retail
104.138.0: certocm.dll: 10.0.14393.3053 retail
437.633.0:<2021/3/24, 9:19:03>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
437.633.0:<2021/3/24, 9:19:03>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
437.633.0:<2021/3/24, 9:19:03>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
437.633.0:<2021/3/24, 9:19:03>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
437.633.0:<2021/3/24, 9:19:03>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
437.633.0:<2021/3/24, 9:19:03>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
122.3064.0:<2021/3/24, 9:19:04>: 0x80041002 (-2147217406)
122.2575.0:<2021/3/24, 9:19:04>: 0x80041002 (-2147217406): ApplicationPool.Name="WSEnrollmentServer"
402.326.949: End: 3/24/2021 10:11 AM 00.798s

Answer 3

also this error

122.3064.0:<2018/5/28, 13:14:5>: 0x80041002 (-2147217406)
122.2663.0:<2018/5/28, 13:14:5>: 0x80041002 (-2147217406): Application.Path="/ADPolicyProvider_CEP_Kerberos",SiteName="Default Web Site"
123.1203.0:<2018/5/28, 13:14:5>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
121.749.0:<2018/5/28, 13:14:5>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): C:\Windows\SystemData\CEP\ADPolicyProvider_CEP_Kerberos
122.3064.0:<2018/5/28, 13:14:5>: 0x80041002 (-2147217406)
122.2575.0:<2018/5/28, 13:14:5>: 0x80041002 (-2147217406): ApplicationPool.Name="WSEnrollmentPolicyServer"
122.3064.0:<2018/5/28, 13:14:5>: 0x80041002 (-2147217406)

Answer 4

such as the domain environment
Is just a two servers as a backup with AD DS role, fileserver role and AD CA

What's the ca type did you try to install?
It was installed already by a previous admin, its a seflsigned CA certificate Server

What's the credential did you use to do
I used my own domain admin account, and a service account

Also, of possible , please share a screenshot of the error message here(please hide the private information)

Answer 5

The server was already setup when I got it