The option Enterprise unavailable during CA installation?

When installing a Active Directory Certification Authority (or  CA server for short), the Setup Type option Enterprise might be greyed out:


This is most likely because you are not running the installation with an account that local administrator on the member server AND is a member of the Enterprise Admins group or the Domain Admins group in the Forest Root Domain.

If you look in the CA installation logfile (located here: C:\Windows\certocm.log) you will see the following error message:

Enterprise CA option availability status: ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS


To find out what groups you are member of, run the command:
whoami /groups

Make sure that one of the following groups (or both) are listed:
DOMAIN\Enterprise Admins
DOMAIN\Domain Admins

To enable the the Enterprise option, simply add the user account to one of the groups listed above and log out and in again (to update the kerberos token) or use an account that already is a member, then retry the installation.

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in CA, PKI and tagged , , , , . Bookmark the permalink.

1 Response to The option Enterprise unavailable during CA installation?

  1. Since Windows 2008, an EnterpriseCA can only be installed on a domain member but no longer on a domain controller. Enterprise CA option is greyed out / unavailable if that’s the case.

    Kind regards

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s