We run DC, CA and DNS on W2012 (VMware virtual server). It worked well but some time ago I've noticed Event ID 91 after restart. I've checked permissions following http://technet.microsoft.com/en-us/library/cc774525(v=ws.10).aspx and there are 2 folders missing in the public key services node: "NTAuthCertificates object" and "Domain Computers and Domain Users containers". But I can see root certificate using "certutil -viewstore 'ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=
Running "nltest /sc_verify:[domainname]" command on CA/DC/DNS server I got "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN" error message. But along to http://social.technet.microsoft.com/Forums/windowsserver/en-US/9f72712e-5119-4610-9faf-b6520cbdf732/inetlogoncontrolfailed-status-1355-0x54b-errornosuchdomain-on-2008-r2-pdc?forum=winserverDS it's not an error but a known issue.
Is any other way to check the connection between a CA and AD DS, please? I'm not sure if "Event ID 91" message isn't post Windows restart warning only. No similar message appears if I restart AD CS service in running W2012.
CA Web Enrollment works for user certificates and I can revoke certificate in "cersrv" too. But we can't issue new smartcards via ActivID Card Management System. It ends with "The card issuance failed. Synch Error: Security module synchronization failed. An internal provider error has occured in provider Microsoft Certificate Server 2003, context xxxxxxxx-AD-CA. External operation error. (0x00000005) MSPKI_CA_NOT_ISSUE : Access is denied." message and support put it in connection with "Event ID 91" error so I need to eliminate it first.