Get-CertificationAuthority -Enterprise gives a wrong result

[miasik]

PS C:\Users\QQQ> Get-CertificationAuthority -Enterprise

PS C:\Users\QQQ> Get-CertificationAuthority

DisplayName                              ComputerName              IsAccessible ServiceStatus Type                     
-----------                              ------------              ------------ ------------- ----                     
XXXXXXXXXX Issuing 06                    SSSSSSSSSSSSSSSSSSSS.com  True         Running       Enterprise Subordinate CA

PS C:\Users\QQQ> Get-CertificationAuthority | Get-EnterprisePKIHealthStatus

Name                  Status Childs                                      
----                  ------ ------                                      
XXXXXXXXXX Issuing 06     Ok {XXXXXXXXXX Issuing 06, SSSSSSSSSS Root 02}

The command with the key "-Enterprise" gives no result, but one Enterprise Subordinate CA exists in our domain.

[Crypt32]

Do you get any result when using -Standalone switch instead? In test domain, I have a mix of Enterprise and Standalone CAs and the -Enterprise switch works for me as expected, returns only enterprise CAs in the forest.

[miasik]

I can't perform such a test. We have some domains and all of them have domain issuing CA. We have only one standalone root CA without domain.
Something has happened and that problem converted to another one. The same query has been giving the right result now but it takes about 7 minutes.

Running Connect-CertificationAuthority also takes the same time.
I have such problems with the tool only in one domain. All others work normal. Actually I think this domain also works fine itself. I'll be happy to find our bug and help you to improve your tool!

[Crypt32]

There are a lot of things you may need to test before you can find the root cause of this. Please, test how much time take these commands:

[SysadminsLV.PKI.Management.ActiveDirectory.DsPkiContainer]::GetAdPkiContainer("Enroll").EnrollmentServers

$CertConfig = New-Object SysadminsLV.PKI.Dcom.Implementations.CertConfigD
$CertConfig.EnumConfigEntries()

if they are fast enough, you will have to debug SysadminsLV.PKI.dll library in Visual Studio to find out which internal call cause delays.

[miasik]

They finished immediately. It appears like I have to learn how to debug dll in VC :-( I hope I'll do it soon.

[Crypt32]

Library sources are here: https://github.com/PKISolutions/pkix.net
download them to Visual Studio, add either a CLI application as host application, or create unit test project and test [PKI.CertificateServices.CertificateAuthority]::Connect() method. Set breakpoints and debug it line by line.

One thing you should know: debug an x64 process, because CA management interfaces doesn't exist for x86 platform (Visual Studio defaults to x86 when debugging).