Dear colleagues, we presently started to rollout computer certificates for our clients for WLAN usage. About 80% our 200 clients got certificates. For the rest we are facing trouble. A few computers could be fixed by adjusting the windows time service or enlarging the Kerberos buffer. For the rest we have different issue.The first issue I need your help is that the Enterprise Root and SubCA certificates are missing on those clients. Any idea how to solve this? We have published them in AD and via GPO they should be able to see them. - But they are not. Like said; 80% is working fine so I think from Server and AD side every thing is fine. Our environment is Windows XP Sp3 clients and the PKI servers are in windows server 2008 (32 Bit). Many thanks in advance Ruben

Are all your failing clients in the same AD site or are they spread over different sites? Can you check if the GPO has been deployed correctly to any computer of the 20% that does not show the CA certificates? You can use gpresult.exe and rsop.msc to check the GPO deployment. You can aditionally use the certutil.exe tool to examine the enterprise store on the same computer with the following switches: CertUtil -viewstore -enterprise NTAuth CertUtil -viewstore -enterprise Root /Hasain

Are all your failing clients in the same AD site or are they spread over different sites? Can you check if the GPO has been deployed correctly to any computer of the 20% that does not show the CA certificates? You can use gpresult.exe and rsop.msc to check the GPO deployment. You can aditionally use the certutil.exe tool to examine the enterprise store on the same computer with the following switches: CertUtil -viewstore -enterprise NTAuth CertUtil -viewstore -enterprise Root /Hasain

Hi Hasain, thank you for the fast feedback. The clients we are in the same site and also in the same OU. I compared with gpresult.exe and found no difference. When running the commands for checking the store it shows me no content. Attached you find at picture. Thanks for help. Ruben