Lately I have seen a very common error made by a lot of people causing their Native Mode upgrade to not work. The symptom they see is
· Clients not receiving policies after upgrade to Native Mode
Upon further investigation we find that all the components specially the Management Point / Distribution Point are working fine as expected. So it seemed rather confusing that what could be the issue.
Detected at least one Policy Assignment row in the result set which is pending
signing, rejecting all rows. MP_PolicyManager 1/1/2009 10:59:10 AM 5120 (0x1400)
signing, rejecting all rows. MP_PolicyManager 1/1/2009 11:00:34 AM 5120 (0x1400)
Found the certificate that matches the SHA1 hash. SMS_POLICY_PROVIDER 1/1/2009
10:58:21 AM 5616 (0x15F0)
Failed in CryptAcquireCertificatePrivateKey(...):
0x8009200b. SMS_POLICY_PROVIDER 1/1/2009 10:59:11 AM 5616 (0x15F0)
For further validating we identified one client and founds it GUID from the Database
select * from system_data
Then we tried to see what policies it might be receiving
exec mp_getmachineploicyassignments 'GUID:xxx.xxx.xxx.xxx' of the clients,NULL,'0'
exec mp_getmachineploicyassignments 'GUID:xxx.xxx.xxx.xxx' of the clients,NULL,'1'
SecurityMode is 0 or 1 (Mixed / Native)
We could clearly see some of the policies were the column value inprocess='1'
· The certificate template does not allow to export the private certificate
· The certificate is placed under the user’s personal store and not computer’s
· If you are running the Windows Server 2008 Certificate Server, it likely might place the certificate in the user’s personal store
Jeevan Bisht | Support Escalation Engineer
Note : All material presented here is only for reference,As such, Microsoft makes no warranties or guarantee's regarding the applicability of this article, nor does Microsoft support the use of this in any way. This is just one of those 'use at your own risk' type of things that hopefully you'll find helpful.