Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.
Original URL:
Post name: Certificate Services setup failed with the following error: Element not found. 0x80070490
Original author: MS2065 [MSFT]
Posting date: 2009-01-26T01:41:22+00:00

Until Windows Server 2008 shipped, every Domain Controller had a readable and writable copy of the Active Directory schema, domain naming context and configuration naming context. This statement changed when we introduced the Read Only Domain Controller (RODC) role with Windows Server 2008. The RODC creates several new configuration scenarios for Active Directory integrated applications.

With this blog post I want to explain a situation where a Windows Server 2003 Enterprise CA setup fails with error Element not found. 0x80070490. The setup error occurs when the intended Windows Server 2003 CA computer maintains a secure channel with a Windows Server 2008 RODC. In this case, the CA setup code cannot write new objects into the Active Directory configuration naming context. In Windows Server 2008 the CA setup code was updated to always make a connection to a writable Domain Controller in the beginning and then stick with that Domain Controller for all the operations done during setup.

To work around the Windows Server 2003 CA setup limitation, you could use the nltest.exe command from the Windows Support tools. To do so, make sure that a writable domain controller exists in the site that the Windows Server 2003 CA computer belongs to. If no writable domain controller is configured for the site, you must work with your Active Directory Enterprise administrator to change the site configuration so that a writable domain controller becomes available in the CA’s site.

To fix the problem, open a command prompt on the intended Windows Server 2003 CA to execute the following commands with local administrator permissions.

As a first step, query the DNS for a list of writable domain controllers in the domain. In this sample I use as domain name.

nltest / /WRITABLE

Next, reset the secure channel that is currently used between the Windows Server 2003 and the RODC.

nltest /sc_reset

Finally, verify if the secure channel is now set up with a writable domain controller.

nltest /

If the intended CA computer is now connected to a writable domain controller, restart the CA setup.

Share this article:


Comments are closed.