AD Certificate Services CRL & AIA configuration

I'm prototyping a two tier PKI setup as a prerequisite to SCCM 2012 R2. In this setup I have on offline root CA (not domain joined) and two subordinate Enterprise Issuing CAs with AD Certificate Services installed. I have the Online Responder
service installed and configured on both Issuing CAs. I'm using the Online responder to sync the two using the Array Configuration. I also plan to load balance the two OCSP responder service systems using an address like
http://pki.contoso.com/ocsp . However, I'm a little confused about how the CDP and AIA locations should be configured on each of the three systems since I've read so much seemingly contradictory information.
Here's the CDP & AIA settings for the three systems:
MyRootCA1-CDP
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
<CRLNameSuffix><DeltaCRLAllowed>.crl">http://MySubCA01.contoso.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
_<CaName><CertificateName>.crt">http://MySubCA02.contoso.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
MySubCA01-CDP
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
<CRLNameSuffix><DeltaCRLAllowed>.crl">file://MySubCA01.contoso.com\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
MySubCA01-AIA
,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://pki.contoso.com/ocsp
MySubCA02-CDP
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
<CRLNameSuffix><DeltaCRLAllowed>.crl">file://MySubCA02.contoso.com\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
MySubCA02-AIA
,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://pki.contoso.com/ocsp
I haven't seen any issues. Since I've cobbled the configuration from different sources, I just want to get some feedback and know that the configuration is appropriate for the design.
Thanks in advance.

See this:PKI Certificate Requirements for Configuration Manager

Similar Messages

Certificate Services: CA-Xchg certificate renewal ignoring configuration settings

Hi
I'm seeing a problem with CA-Xchg renewal and I'm hoping someone can help. This is on w2k3 r2 SP2 CA machine that's attached to an HSM.
The first time the CA issues itself the CA-Xchg certificate, it used all the correct settings (key length=2048, EncryptionCSP=<HSM vendor>, etc). The CA-Xchg certificate & keys are in the HSM so everything is fine.
However, all other CA-xchg certificates since the very first one, now completely ignore the configured registry settings on the CA. These renewed CA-Xchg certificates keep the public/private keys locally on the OS and use a smaller key length (1024).
This behavior was not seen in previous testing.
The CRLFlag CRLF_USE_XCHG_CERT_TEMPLATE is not configured. as a precaution the CA exchange template has the same key length And CSP settings as the CA's registry (even though these settings are ignored if using the CA exchange template).
The strangest thing is that the CA is still happily using/accessing it's CA keys in the HSM when signing certificates, publishing CRLs, etc, so it's not an "access to the HSM" problem. That and the very first CA-xchg certificate used the HSM fine.
The CA is being used to issue certs for CLM so the CLM policy and exit modules are installed. I don't think this is doing anything as the policy module is configured to pass all non-CLM cert requests to the windows default policy module.
is there some sort of "hard wired" default setting the this CA is reverting back to (for whatever reason) instead of what is configured in the registry?
Setting the KRAFlag KRAF_DISABLEUSEDEFAULTPROVIDER isn't an option as that flag was added with 2008. it's not available in 2003
any help, ideas, etc, is much appreciated
cheers
Todd

Hi,
Thank you for your question.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Regards, Yan Li

Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

Hi,
We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=xxxxx.ourdomain.com. Additional information: Error Verifying Request Signature or Signing Certificate
A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
configuration.
Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
Thank you for your help
//Cris

hello,
let me recap first:
you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
issued and which are still valid, right?
The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
do not contain CRL paths at all.
So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
Just a clean self-signed REQUEST.
That will succeed.
You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
ondrej.

Server 2012 CDP PKI Setup on Subordinate CA - Active Directory Certificate Services could not create an encryption certificate

Hi,
When I check pkiview.msc on my 2012 Subordinate CA I get the error shown in the first picture below. I'm also getting errors similar to below in the event log:
"Active Directory Certificate Services could not create an encryption certificate. Requested by contoso\admin1. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)."
I'm assisting in setting up a 2 tier PKI infrastructure using Windows 2012. The root CA looks good, but we're getting errors on the subordinate. The server was working, but we discovered that the server would only issue certificates with a maximum of a 1
year expiry date - obviously no good, so we decided to run through the following commands on the root CA (as recommended byhttp://www.techieshelp.com/subordinate-ca-increase-certificate-validity/)
certutil -setreg ca\ValidityPeriodunits "Years"
certutil -setreg ca\ValidityPeriod "5"
restarted AD certificate services on the root and subordinate CA.Then did the following on the subordinate CA:
1.On the Subordinate CA create a new CA request by right clicking the server in ADCS and select New Request.
2.Supplied the original request file from the subordinate CA (I couldn't find a way of generating a new request file)
3.Issued the certificate using the Root CA.
4.On the Subordinate CA ADCS installed new CA cert.
However, I keep on getting CDP or AIA errors on my subordinate CA.Also I'm missing a CDP field value when I look at the certificate listed in the personal and trusted certification authority store on my subordinate CA.
In addition, when I look at my CDP locations in Certificate Authority, I see a lot of CDPs, but I'm not sure if I need them all - I suspect I could just get away with LDAP, the C:\windows path and a single http:// path.
I've tried renewing the existing certificate and CRL on my subordinate CA, but that didn't work either.
Please advise.
Thanks

Ok, the process to renew the subordinate CA is incorrect. Once the registry setting to change the validity period was made on the root CA, the root CA ADCS service needs to be restarted. That is the only time those keys are read. Then:
1) On the subordinate CA, open the CA tool, right click the CA and select Renew CA Certificate. You can use the same key, no need to create a new one. It will create a NEW certificate request file
2) Copy that to the Root CA and submit like you would have done during the initial install
3) Approve the request and export the issued certificate
4) On the subordinate CA, in the CA tool, right click the CA and choose Install CA Certificate.
You can not reuse request files.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)

Hi,
I am trying to install certificate services on a windows 2008 server (R2 ENT SP1) with a PCIe nCipher HSM module installed on it. The version of nCipher SW is = 11.30. It is a RootCA, and I am trying to use a key that is already stored in the HSM (I
have done this before with a PCI HSM (older HW version)). I select “Use existing private key” and “Select an existing private key on this computer” on the wizard, then i change the CSP to nCipher and click on "search" the key I am looking for
appears and I select that one. I repeat, I have done this before and it works with a PCI HSM module.
The installation is finished before being prompted to insert the operator cards, and it ends with two errors:
<Error>: Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
And:
<Error>: Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct state to perform the requested operation.
0x8007139f (WIN32: 5023)
The servermanager.log says:
1856: 2014-07-23 18:27:48.195 [CAManager] Sync: Validity period units: Years
1856: 2014-07-23 18:27:48.928 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x800703E5): CCertSrvSetup::Install: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
1856: 2014-07-23 18:27:48.928 [Provider] CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress.
0x800703e5 (WIN32: 997)'
1856: 2014-07-23 18:27:48.928 [Provider] Adding error message.
1856: 2014-07-23 18:27:48.928 [Provider] [STAT] For 'Certification Authority':
And:
1856: 2014-07-23 18:27:49.053 [CAWebProxyManager] Sync: Initializing defaults
1856: 2014-07-23 18:27:49.162 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x8007139F): CCertSrvSetup::Install: The group or resource is not in the correct state to perform the requested operation. 0x8007139f (WIN32: 5023)
at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
1856: 2014-07-23 18:27:49.162 [Provider] CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct
state to perform the requested operation. 0x8007139f (WIN32: 5023)'
1856: 2014-07-23 18:27:49.162 [Provider] Adding error message.
Has anyone experienced this before? Am I missing something here?
Any help will be very appreciated
Thanks in advance
Best regards
Alejandro Lozano Villanueva

Hi, thanks for your support.
I have been playing around a bit with some ncipher commands and found this:
C:\Program Files (x86)\nCipher\nfast\bin>cspcheck.exe
cspcheck: fatal error: File key_mscapi_container-1c44b9424a23f6cddc91e8a065241a0
9aa719e4f (key #1): 0 modules contain the counter (NVRAM file ID 021c44b9424a23f
6cddc91)
cspcheck: information: 2 containers and 2 keys found.
cspcheck: fatal error occurred.
If I perform the same command on the original server (the server with the original kmdata folder and with the running RootCA services):
E:\nfast\bin>cspcheck.exe
cspcheck: information: 2 containers and 2 keys found.
cspcheck: everything seems to be in order.
Strange?
Moreover, when I do a csptest.exe command (also on both servers, i find this)
On the new server:
C:\Program Files (x86)\nCipher\nfast\bin>csptest.exe
nCipher CSP test software
=========================
Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
Provider name: nCipher Enhanced Cryptographic Provider
Version number: 1.48
User key containers:
Container 'csptest.exe' has no stored keys.
Container 'Administrator' has no stored keys.
Machine key containers:
Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
Container 'ROOTCA' has no stored keys.
Container 'csptest.exe' has no stored keys.
While in the old server:
E:\nfast\bin>csptest.exe
nCipher CSP test software
=========================
Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
Provider name: nCipher Enhanced Cryptographic Provider
Version number: 1.40
User key containers:
Container 'csptest.exe' has no stored keys.
Machine key containers:
Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
Container 'ROOTCA' has a 2048-bit signature key.
Container 'csptest.exe' has no stored keys.
As you can see, the container called ROOTCA, which is the one that I use during the installation, says it has no stored keys. While on the old server, it says it contains a key. Why is this happening? I dont know, I am copying the complete
key management folder from one server to another and initialize the security world with that folder as I always do, and i dont have any errors during this procedure.
Do you know what could be the cause of this? or how can I fix this? Thanks a lot, best regards.
Alejandro Lozano Villanueva

Event ID 91 Could not connect to the Active Directory. Active Directory Certificate Services

Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.
Event ID:      91
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      DC1.chickbuns.com
Description:
Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
    <EventID Qualifiers="49754">91</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-07T19:34:00.000000000Z" />
    <EventRecordID>819</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>DC1.chickbuns.com</Computer>
    <Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_DS_RETRY">
</EventData>
</Event>
:\Users\Administrator>dcdiag /fix
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\DC1
      Starting test: Advertising
         Warning: DC1 is not advertising as a time server.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... DC1 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC1 passed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
         ......................... DC1 passed test Services
      Starting test: SystemLog
         ......................... DC1 passed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   Running partition tests on : chickbuns
      Starting test: CheckSDRefDom
         ......................... chickbuns passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... chickbuns passed test CrossRefValidation
   Running enterprise tests on : chickbuns.com
      Starting test: LocatorCheck
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         ......................... chickbuns.com failed test LocatorCheck
      Starting test: Intersite
         ......................... chickbuns.com passed test Intersite.

My test lab one sinle domain controller server 2008 R2 Sp1 and member exchange server is using,the event error 91 is generated as per the technet article http://technet.microsoft.com/en-us/library/cc774525(v=ws.10).aspx the  domain
computer and domain users in public key services container is not listed ..
C:\Users\Administrator>netdom /query fsmo
Schema master DC1.chickbuns.com
Domain naming master DC1.chickbuns.com
PDC DC1.chickbuns.com
RID pool manager DC1.chickbuns.com
Infrastructure master DC1.chickbuns.com
The command completed successfully.
Command Line: "dcdiag.exe
/V /D /C /E"
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine DC1, is a Directory Server.
Home Server = DC1
* Connecting to directory service on server DC1.
DC1.currentTime = 20140110072353.0Z
DC1.highestCommittedUSN = 131148
DC1.isSynchronized = 1
DC1.isGlobalCatalogReady = 1
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=chickbuns,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=chickbuns,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
DC1.currentTime = 20140110072353.0Z
DC1.highestCommittedUSN = 131148
DC1.isSynchronized = 1
DC1.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
===============================================Printing out pDsInfo
GLOBAL:
ulNumServers=1
pszRootDomain=chickbuns.com
pszNC=
pszRootDomainFQDN=DC=chickbuns,DC=com
pszConfigNc=CN=Configuration,DC=chickbuns,DC=com
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
fAdam=0
iSiteOptions=0
dwTombstoneLifeTimeDays=180
dwForestBehaviorVersion=3
HomeServer=0, DC1
SERVER: pServer[0].pszName=DC1
pServer[0].pszGuidDNSName (binding str)=771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
pServer[0].pszDNSName=DC1.chickbuns.com
pServer[0].pszLdapPort=(null)
pServer[0].pszSslPort=(null)
pServer[0].pszDn=CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
pServer[0].pszComputerAccountDn=CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com
pServer[0].uuidObjectGuid=771aab3d-96cd-4fb1-90cd-0899fa6b6207
pServer[0].uuidInvocationId=771aab3d-96cd-4fb1-90cd-0899fa6b6207
pServer[0].iSite=0 (Default-First-Site-Name)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=ea9513a0 01cf0dd4
pServer[0].ftRemoteConnectTime=ea2bca80 01cf0dd4
pServer[0].ppszMaster/FullReplicaNCs:
ppszMaster/FullReplicaNCs[0]=DC=ForestDnsZones,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[1]=DC=DomainDnsZones,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[2]=CN=Schema,CN=Configuration,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[3]=CN=Configuration,DC=chickbuns,DC=com
ppszMaster/FullReplicaNCs[4]=DC=chickbuns,DC=com
SITES: pSites[0].pszName=Default-First-Site-Name
pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
pSites[0].pszISTG=CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
pSites[0].iSiteOption=0
pSites[0].cServers=1
NC: pNCs[0].pszName=ForestDnsZones
pNCs[0].pszDn=DC=ForestDnsZones,DC=chickbuns,DC=com
pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=5fc582f9-b435-49a1-aa54-41769fc24206,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[0].aCrInfo[0].pszDnsRoot=ForestDnsZones.chickbuns.com
pNCs[0].aCrInfo[0].iSourceServer=0
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=
NC: pNCs[1].pszName=DomainDnsZones
pNCs[1].pszDn=DC=DomainDnsZones,DC=chickbuns,DC=com
pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=9e1c2cb8-b90b-4e9f-90dd-9903f935e4af,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[1].aCrInfo[0].pszDnsRoot=DomainDnsZones.chickbuns.com
pNCs[1].aCrInfo[0].iSourceServer=0
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=
NC: pNCs[2].pszName=Schema
pNCs[2].pszDn=CN=Schema,CN=Configuration,DC=chickbuns,DC=com
pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[2].aCrInfo[0].pszDnsRoot=chickbuns.com
pNCs[2].aCrInfo[0].iSourceServer=0
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=
NC: pNCs[3].pszName=Configuration
pNCs[3].pszDn=CN=Configuration,DC=chickbuns,DC=com
pNCs[3].aCrInfo[0].dwFlags=0x00000201
pNCs[3].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[3].aCrInfo[0].pszDnsRoot=chickbuns.com
pNCs[3].aCrInfo[0].iSourceServer=0
pNCs[3].aCrInfo[0].pszSourceServer=(null)
pNCs[3].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[3].aCrInfo[0].bEnabled=TRUE
pNCs[3].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[3].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[3].aCrInfo[0].pszNetBiosName=(null)
pNCs[3].aCrInfo[0].cReplicas=-1
pNCs[3].aCrInfo[0].aszReplicas=
NC: pNCs[4].pszName=chickbuns
pNCs[4].pszDn=DC=chickbuns,DC=com
pNCs[4].aCrInfo[0].dwFlags=0x00000201
pNCs[4].aCrInfo[0].pszDn=CN=CHICKBUNS,CN=Partitions,CN=Configuration,DC=chickbuns,DC=com
pNCs[4].aCrInfo[0].pszDnsRoot=chickbuns.com
pNCs[4].aCrInfo[0].iSourceServer=0
pNCs[4].aCrInfo[0].pszSourceServer=(null)
pNCs[4].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[4].aCrInfo[0].bEnabled=TRUE
pNCs[4].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[4].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[4].aCrInfo[0].pszNetBiosName=(null)
pNCs[4].aCrInfo[0].cReplicas=-1
pNCs[4].aCrInfo[0].aszReplicas=
5 NC TARGETS: ForestDnsZones, DomainDnsZones, Schema, Configuration, chickbuns,
1 TARGETS: DC1,
=============================================Done Printing pDsInfo
Doing initial required tests
Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Failure Analysis: DC1 ... OK.
* Active Directory RPC Services Check
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC1
Starting test: Advertising
The DC DC1 is advertising itself as a DC and having a DS.
The DC DC1 is advertising as an LDAP server
The DC DC1 is advertising as having a writeable directory
The DC DC1 is advertising as a Key Distribution Center
The DC DC1 is advertising as a time server
The DS DC1 is advertising as a GC.
......................... DC1 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC DC1 for domain chickbuns.com in site Default-First-Site-Name
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.chickbuns.com/chickbuns.com
* SPN found :LDAP/DC1.chickbuns.com
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.chickbuns.com/CHICKBUNS
* SPN found :LDAP/771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/771aab3d-96cd-4fb1-90cd-0899fa6b6207/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com
* SPN found :HOST/DC1
* SPN found :HOST/DC1.chickbuns.com/CHICKBUNS
* SPN found :GC/DC1.chickbuns.com/chickbuns.com
[DC1] No security related replication errors were found on this DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... DC1 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC1 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.chickbuns.com/chickbuns.com
* SPN found :LDAP/DC1.chickbuns.com
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.chickbuns.com/CHICKBUNS
* SPN found :LDAP/771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/771aab3d-96cd-4fb1-90cd-0899fa6b6207/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com/chickbuns.com
* SPN found :HOST/DC1.chickbuns.com
* SPN found :HOST/DC1
* SPN found :HOST/DC1.chickbuns.com/CHICKBUNS
* SPN found :GC/DC1.chickbuns.com/chickbuns.com
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC1.
* Security Permissions Check for
DC=ForestDnsZones,DC=chickbuns,DC=com
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=chickbuns,DC=com
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=chickbuns,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=chickbuns,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=chickbuns,DC=com
(Domain,Version 3)
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC1\netlogon
Verified share \\DC1\sysvol
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
DC1 is in domain DC=chickbuns,DC=com
Checking for CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com in domain DC=chickbuns,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com in domain CN=Configuration,DC=chickbuns,DC=com on 1 servers
Object is up-to-date on all servers.
......................... DC1 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was
not entered
......................... DC1 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
DC=ForestDnsZones,DC=chickbuns,DC=com has 1 cursors.
DC=DomainDnsZones,DC=chickbuns,DC=com has 1 cursors.
CN=Schema,CN=Configuration,DC=chickbuns,DC=com has 1 cursors.
CN=Configuration,DC=chickbuns,DC=com has 1 cursors.
DC=chickbuns,DC=com has 1 cursors.
* Replication Latency Check
......................... DC1 passed test Replications
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=chickbuns,DC=com
* Available RID Pool for the Domain is 1600 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
* DC1.chickbuns.com is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com
* rIDAllocationPool is 1100 to 1599
* rIDPreviousAllocationPool is 1100 to 1599
* rIDNextRID: 1103
......................... DC1 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC1 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... DC1 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=chickbuns,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC1 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... DC1 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com and backlink on
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
are correct.
The system object reference (serverReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=chickbuns,DC=com
and backlink on
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chickbuns,DC=com
are correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=chickbuns,DC=com
and backlink on CN=DC1,OU=Domain Controllers,DC=chickbuns,DC=com are
correct.
......................... DC1 passed test VerifyReferences
Starting test: VerifyReplicas
......................... DC1 passed test VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... DC1 passed test DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : chickbuns
Starting test: CheckSDRefDom
......................... chickbuns passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... chickbuns passed test CrossRefValidation
Running enterprise tests on : chickbuns.com
Starting test: DNS
Test results for domain controllers:
DC: DC1.chickbuns.com
Domain: chickbuns.com
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2008 R2 Enterprise (Service Pack level: 1.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:0C:29:DE:7F:EB
IP Address is static
IP address: 192.168.1.30
DNS servers:
192.168.1.30 (dc1.chickbuns.com.) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
192.168.1.1 (<name unavailable>) [Valid]
TEST: Delegations (Del)
Delegation information for the zone: chickbuns.com.
Delegated domain name: _msdcs.chickbuns.com.
DNS server: dc1.chickbuns.com. IP:192.168.1.30 [Valid]
TEST: Dynamic update (Dyn)
Test record dcdiag-test-record added successfully in zone chickbuns.com
Test record dcdiag-test-record deleted successfully in zone chickbuns.com
TEST: Records registration (RReg)
Network Adapter
[00000007] Intel(R) PRO/1000 MT Network Connection:
Matching CNAME record found at DNS server 192.168.1.30:
771aab3d-96cd-4fb1-90cd-0899fa6b6207._msdcs.chickbuns.com
Matching A record found at DNS server 192.168.1.30:
DC1.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.48c41195-2630-4461-aaef-ec2a63cd8bf3.domains._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._udp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kpasswd._tcp.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.Default-First-Site-Name._sites.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_kerberos._tcp.Default-First-Site-Name._sites.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.gc._msdcs.chickbuns.com
Matching A record found at DNS server 192.168.1.30:
gc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_gc._tcp.Default-First-Site-Name._sites.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.chickbuns.com
Matching SRV record found at DNS server 192.168.1.30:
_ldap._tcp.pdc._msdcs.chickbuns.com
Total query time:0 min. 3 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:0 min. 6 sec. Total Netuse connection
time:0 min. 0 sec.
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.1.1 (<name unavailable>)
All tests passed on this DNS server
Total query time:0 min. 0 sec., Total WMI connection
time:0 min. 5 sec.
DNS server: 192.168.1.30 (dc1.chickbuns.com.)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
DNS delegation for the domain _msdcs.chickbuns.com. is operational on IP 192.168.1.30
Total query time:0 min. 3 sec., Total WMI connection
time:0 min. 0 sec.
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: chickbuns.com
DC1 PASS PASS PASS PASS PASS PASS n/a
Total Time taken to test all the DCs:0 min. 9 sec.
......................... chickbuns.com passed test DNS
Starting test: LocatorCheck
GC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
PDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
KDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
......................... chickbuns.com passed test LocatorCheck
Starting test: FsmoCheck
GC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
PDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
KDC Name: \\DC1.chickbuns.com
Locator Flags: 0xe00033fd
......................... chickbuns.com passed test FsmoCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... chickbuns.com passed test Intersite

Active Directory Certificate Services

Hello,
I have an issue with CRL and delta CRL which I cannot publish
the errors are:
1. Active Directory Certificate services could not publish a Delta CRL for key 0 to the following location: ldap:///...
operation aborted 0x80004004 (-2147467260)
and another event id 74
please help
thanks
Mashhour

Hi,
I suggest you start troubleshoot this issue from these guides below:
Event ID 66 — AD CS Certificate Revocation List (CRL) Publishing
http://technet.microsoft.com/en-us/library/cc726342(v=WS.10).aspx
Event ID 74 — AD CS Certificate Revocation List (CRL) Publishing
http://technet.microsoft.com/en-us/library/cc726336(v=WS.10).aspx
Please make sure that CA has Write permissions on the location mentioned in the Event message, and ensure that there is no network connectivity issue between CA and Domain Controller.
Best Regards,
Amy

Can't find SSL certificate in SQL server configuration manager?

Hi
It's been 2 days and I need a help. I have visited a number of sites and I still can't make it work
Two severs I have: Windows 2012 Standard with SQL 2008 R2 and SQL 2012
I am trying to set it up on SQL 2008 R2 right now.
I have a certificate from a CA and did the followings.
1. Open MMC
2. Add Certificates Snap-in as a computer account (In fact, I tried all the three accounts)
3. Right click-on Personal folder and All taks and Import
4. Installed the certificate with Certificate import Wizard
5. The certificate shows up under Personal/Certificates and Trusted Root Certification Authorities/Certificates
I did this with a local administrator account as well as MSSQL account(SQL Server service account I created). Even though the server is part of domain, SQL server is set up with local accounts.
This is a simply summary. I tried everything in the article such as 'Create Custom Request'.
I am not sure what I am missing. Why can't I see the certificate in SQL Server configuration manager?
I even made MSSQL (service account) as administrator. Not working.
as I am not using the domain service account, I believe below is not relevant.
Missing detail on "Install a certificate in the Windows certificate store..."
When following recommended security procedures and running SQL server under a domain service account, the service will fail to start after assigning a certificate to the protocols. This is because the service account does not have permissions to read
the private key. Fix this in the Certificates MMC snap-in (preferably right after installing the certificate.) Select the certificate you just imported, then in the Action menu select "Manage private keys." Grant the domain service
account read access to the private key of the server certificate.
Below is the few of reference I looked at..
https://support.microsoft.com/en-us/kb/316898/
https://msdn.microsoft.com/en-us/library/ms191192(d=printer).aspx
https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-
http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspx

Hi Dinesh
Thanks for the reply.
I did looked into the both sites as well. but it did not work.
Below is the step to install SQLs server certificate. and I was stuck with Step 9. when click 'next' in the wizard, I am not getting into a place to select 'computer' as certificate type.
Do you know what is wrong please?
Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
On the File menu, click Add/Remove Snap-in...
Select Certificates, click Add.
You are prompted to open the snap-in for your user account, the service account, or the computer account. Select the Computer Account.
Select Local computer, and then click Finish.
Click OK in the Add/Remove Snap-in dialog box.
Click to select the Personal folder in the left-hand pane.
Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate...
Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
Now you should see the certificate in the folder with the fully qualified computer domain name

How to get certificates "signed" for SSL configuration

I have configured EID 3.1 to use SSL, The generate_ssl_keys utility was used to generate the SSL certificates, but when we login to studio we get the "The site's security certificate is not trusted!" message. Has anyone got any advise on how to get the certificates generated signed by a CA?

In EID 3.1, the generate_ssl_keys utility is used to create a local CA and certificates for securing access to Endeca Server. Studio uses these certificates/keys internally to access the secured Endeca Server. These certificates are normally only used to internally secure Studio and Endeca Server (and Provisioning Service) communications.
Securing Studio with SSL/TLS from the client browser to Studio is a separate task. The documentation topic is http://docs.oracle.com/cd/E40518_01/studio.310/studio_security/toc.htm#Configuring%20SSL%20on%20the%20Studio%20application%20server which contains links to the application server topics. This is primarily an application-server task - you would follow the instructions for the application-server and/or your certificate/CA supplier, so you end-up with trusted certificates.
One common configuration is to secure Studio SSL/TLS terminated on a reverse-proxy such as OHS, so you may want to consider this option.

Azure service bus problem : An error occurred while retrieving the Service Bus namespace configuration information

Almost all of my service bus has the following issue. The error message I have from the Management Portal was "An error occurred while retrieving the Service Bus namespace configuration information. Please try again later." This happen for almost
2 days.
Anyone face the same issue? how to resolve this?

Hi,
If you create a new one, did you receive the same issue? If that, I suggest you submit a ticket at:
http://www.windowsazure.com/en-us/support/contact/
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

SMLETS. Get related Business Services from a Configuration Item

Hi
I need som help or guidiance on how to create a PS query to list out all the related business services from a Configuration Item (Computer) using the Windows Computer Class
Im using the following orchestrator activity today to get the related business services from the CI.
Thx for all replys! :)

Hi,
you can use this script as an example:
Import-Module smlets
#Definde Input-Values
[String]$Server = "SCSMSERVER"
[String]$SCObjectGUID = "6555226c-5e77-ea85-b79f-05dc8843dcb0"
#Get Computer-Object by SC Object GUID
[System.Object]$Computer = Get-SCSMObject -Id $SCObjectGUID -ComputerName $Server
#Get Relationship Class "Is Related to Configuration Item"
[System.Object]$Relationship = Get-SCSMRelationshipClass -Name "System.ConfigItemRelatesToConfigItem" -ComputerName $Server
#Get defined Relationships by target
[System.Object[]]$RelatedBSs = Get-SCSMRelationshipObject -ByTarget $Computer -ComputerName $Server | where { $_.RelationshipId -eq $Relationship.Id }
#Create Arrray for Orchestrator Published Data
$BusinessServiceDisplayNames = @()
foreach($RelatedBS in $RelatedBS)
#Add DisplayName of Business Service to Output-Array
$BusinessServiceDisplayNames += $RelatedBS.SourceObject.DisplayName
$BusinessServiceDisplayNames

How can I create digital signatures for my users using Windows 2008 Active Directory Certificate Services?

Hi,
I need to create local digital signatures for my users. How can I do that using W2k8 Active Directory Certificate Services? We are gonna sign Office 2010 documents.
What company offers cheap digital signatures solutions?
Thanks in advanced

Consider the following:
if you use your local CA server to issue digital signature certificates, there is no cost, because you are eligible to issue so many certificates as you need. However, documents signed by these certificates will be considered trusted only within your AD
forest and other machines that explicitly trust your local CA. Any external client will not trust your signatures.
If you want to make your signature trusted outside your network (say, in worldwide), you need to pruchase a certificate from trusted commercial CA (VeriSign, GoDaddy, GlobalSign, StartCom, etc) according to respective vendor price list. In that case you
don't need to have your local CA server, because it is not used. All certificate management is performed by the external CA. A most common scenario is to purchase signing certificate for particular departament principals (head managers) or few certificates
for a whole company (all documents are revised by a responsible person or persons who holds signing certificate and sign them after review).
so, it is not clear from your post what exactly you need.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki

Web Service Security not configured on this component.

Hi Experts,
                       Before configuring the scenario, i went to RWB to check whether the comopnents are in active mode or not.
                              Integration Engine XID
                              Business Process Engine XID
                              Mapping Runtime XID
                              Adapter Engine XID
                              Integration Engines
                      All components are in Green mode Except Integration Engine, The Integration is in yellow mode
                       and shows the following details.
                     Details for 'Is Web service security available?'
                       Web Service Security not configured on this component.
Can you give the solution for this.

Hi,
                  1, While sending idoc from sapR/3 to PI , in r/3 sm58 shows the foll error:
"No service for system SAPQA,client 200 in integration directory"*
                           Even the Bussiness sytem pointing R/3.
From your initial post, it appears that you are using XID system and from above error, I believe you are trying to send the IDoc from QA system. R3 dev will communicate to PI dev, so verify the partner profile and ports in your IDoc Header settings.
                     2, When i execute the tcode sm58 in PI   it shows the following error:
                               "Syntax error in program SAPLSXI_AC_CACHE _REFERESH"
I am kinda confused how come sm58 tcode can show an error for this program, as sm58 is for checking the transactional RFCs and SAPLSXI_AC_CACHE_REFERESH is for XI Cache refresh for Alert Category. Might be some one else can explain this.
                     3, WHEN I EXECUTE THE tcode SXI_CACHE
                                         Under the *STATUS OF RUNTIME CACHE
                                                       Unable to refresh cache contents
                                                       Error during last attempt toreferesh cache
                                                         (red colour triangle leading above both)
Check this SAP Note 764176, might help in your situation.
Worth reading - http://help.sap.com/saphelp_nw04/helpdata/en/0d/28e1c20a9d374cbb71875c5f89093b/frameset.htm
                    4, Still there is no messages in Message monitoring.
Obviously because of error # 1, you are unable to send IDocs, how come you expect messages to reach PI ... strange, isn't it
Hope this helps.
Regards,
Neetesh

PerformancePoint Services is not configured correctly but I'm Site administrator

Hi experts
I recenlty create a business intelligence site and set my active directory user as administrator.
I'm server and database administrator too.
but when I want to create a data source I get this error:
The Data source cannot be used because PerformancePoint Services is not configured correctly
I see some solution in then interent but some of them say that should set unattended user for performance point service.
I'm site administrator and Why I should set unattended user?
thanks
semi developer

You should set the Unattended Execution Account if you don't want to set credentials for data sources.
Kind regards,
Margriet Bruggeman
Lois & Clark IT Services
web site: http://www.loisandclark.eu
blog: http://www.sharepointdragons.com

Migrating Certificate Services to Server 2012 in a 2008 R2 AD Domain

We have a Windows 2008 R2 SP1 Active Directory domain. Our Enterprise Certificate server is running on Windows 2003 R2. We'd like to introduce a Windows 2012 server into our existing domain and migrate the Certificate Services to that new box. Are there
any 'gotchas' to implementing Certificate Cervices on a Windows Server 2012 system in a Windows 2008 R2 SP1 domain that we should be concerned with?
Orange County District Attorney

Hi,
You can migrate Certificate Services to another server but server name should be same. Also changing the server name which has CA role installed is not recommended.
AD CS Migration: Preparing to Migrate
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
http://technet.microsoft.com/en-us/library/ee126102(v=ws.10).aspx
Also I would request to post this question in security forum :
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Also you consider, Windows Server 2012 General forum :
http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread
Best regards,
Abhijit Waikar.
MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
Blog: http://abhijitw.wordpress.com
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

AD Certificate Services CRL & AIA configuration

Similar Messages

Maybe you are looking for