The idea is to implement IPSec into our domain network. I have tested everything on Citrix, created almost the analogue network with AD+DNS+CA+several nodes and stuff. Created a "computer" type certificate in "certificates autorequest setting"(hope thats how it sounds english) in default policies. Right after that in the "certification centre mmc: issued certificates" i instantly got the root certificate, and after gpupdate /force on virtual nodes, they all received certificates which has been indicated in issued certificates almost instantly too(tried several options with them, everything is fine). But on the actual network, after installing certification authority on secondary domain controller and configuring the policy+gpupdate /force, the root certificate has not been given. And of course client machines do not get issued any of them too. And very strange for me is, if i change default policies on PDC, then enter same DGP on the secondary controller, i dont see the change(i.e. this "computer" type certificate autorequest) even forcing gpupdate. Used pretty much the same settings installing CA, rsa+md5+2048.

If i understand it correctly there seems te be a replication problem between your DC's. Gpupdate /force doesn't trigger replication. To force replication between DC's: repadmin /syncall /APeD. To check the health of your domain: dcdiag /e /v Fix this problem first before configuring the CA.

Ok thank you for the tip, replication is fine(the question then where do i shedule it?). And dcdiag shows that all tests were passed.

mm, ok. I got the root certificates, but the CA not issuing nodes, including the server on which its installed. Yea, i mean, no ideas ? One of the problems was, i had to enable autoreg in the "open key policies", but this only resulted in secondary DC on which CA is installed to receieve a certificate. gpupdate /forcing on other nodes does nothing.

mm, ok. I got the root certificates, but the CA not issuing nodes, including the server on which its installed. Yea, i mean, no ideas ?

Ok i probably got to up it, though from previous 3 questions on technet none were answered, this one seems to be so easy for people who configured it completely once at least. So i hope. update: ... 20min since i made last changes to gpo, and now suddenly one of the servers in this network got a certificate. why only this one ? i did no changes to certain org. unit politics, only default and default_dc. This server is not a dc at all. Does it requires some time to get going ? and why as on citrix virtual net everything was going much faster. update2: now one of 1500 users got certificate ;) i just really got to wait ?

So, for the moment only 10 certificates(not counting root ones) been issued, last one 8-07 (gmt+3) today. To make it easier for you - 8 hours ago, should i start being worried about ? The nodes that acquired certificates are members of different AD org.units and run on different OS, so this is at least strange for me. Maybe md5 ive chosen cannot work well with most of the machines, but then again on Citrix i had all 3 nodes run winXP sp3(most of pc's in the actual network) and everything was fine. Is there some utility to ask CA server for an certificate ? because i also doubt i can acquire one by gpupdate /force(anyway since yesterday all of the workstations mustve been rebooted + sheduled sync). thank you. Ok, i maybe have found how to request a certificate manually, if thats the case: mmc-->certificates-->personal-->action(all tasks)-->request new certificate. But then again i get the following error: -there are no trusted certification authorities (CAs) available(thats not true technically, or maybe it is?). -you do not have the permissions to request certificates from the available CAs(im logged as domain admin on the Win machine im testing this). -the available CAs issue certificates for which you do not have permissions(maybe that, but could you help me fix it if so).