Set the DSConfigDN for Standalone Root CAs

September 25, 2009 · Filed Under Active Directory, PKI & Certificate Services · Comment 

Are you setting up a new PKI implementation in your organization?  Are you using a Standalone Root CA with an Enterprise Subordinate CA?  If so, don’t forget to properly set the DSConfigDN attribute for your Standalone Root CA (since it can’t read or write in AD!).  If you do forget to do this and then you install your Enterprise Subordinate CA…well, you’ll be unhappy and end up having to uninstall and then reinstall that Enterprise Subordinate CA after making this change or reissue it’s certificate after making this change.  (honestly, the uninstall and reinstall is a cleaner approach if you need to fix this problem).

To properly set the DSConfigDN attribute on the Standalone CA:

  1. From an administrative command prompt, enter the following command to set the Configuration container DN for the Root CA. 
    certutil -setreg ca\DSConfigDN “CN=Configuration,DC=mycompany,DC=local”
  2. You should get the following output back:
    • SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOTCANAME\DSConfigDN:
    • NewValue:  DSConfigDN REG_SZ  = CN=Configuration,DC=mycomapny,DC=local
    • CertUtil -setreg command completed successfully.
    • The CertSvc service may need to be restarted for changes to take effect.
  3. Stop and then start the Active Directory Certificate Services service as required.  This can be done from the command prompt, the Services console or the CA console.

The change looks like that seen in the figure below when viewed in the Registry Editor.

dsconfigdn

  • Share/Save/Bookmark

Tags: , , ,