DHCP not handing out IP leases to non-domain members

Similar Messages

• DHCP not handing out addresses

  Hi all
  I have Windows Server 2008 sp2 roles AD DNS and DHCP.
  Several days my server DHCP is "hangs"
  a few hours after restart
  C:\Windows\system32\svchost.exe -k DHCPServer run on 50 % on procesor and mmc not responding I must before kill proses svchost and start DHCP is
  looks good but not response to client PC

  Run a free malware scan using the following to make sure there is no infection.
  Microsoft's Safety Scanner (gest updated regularly):
  http://www.microsoft.com/security/scanner/en-us/default.aspx
  MalwareBytes free scanner - update before you run (to use the free version for occasional scans, do not opt to try the free 30 day pro version during installation)
  www.malwarebytes.com
  Are there any event log errors?
  As a test, if you run it without any third party services running, does it do the same thing? To do that, from a Start/Run box, run
  msconfig, select Service tab, click on Hide Microsoft Services, then make sure the list left is checked, and disable them, and restart. Run it as a test, and if it doesn't occur, then you know it's third party software doing it.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Lion Server not handing out DHCP addresses to Snow Leopard client

  I have been pulling my hair out over this.
  Here is the layout
  Lion Server running on the newest Mac Mini and doing mail, DNS, DHCP, Software update and has a valid, not self assigned, certificate
  3 clients running Lion Desktop (2 iMACs and a MBP pro (all no more that a year old and all woth the current updates)
  1 client running Snow Leopard Desktop (last years 13 inch MBA)
  The 3 Lion clients can get dhcp fro mthe Lion server without any issue
  The SL client cannot get a DHCP address from the Lion server
  A tcpdump shows the DHCP request coming from the MAC address of the SL client but no response from the Lion Server and nothing showing a deny in the logs for the DHCP server or any other system/kernel logs. The Lion clients all show the request and reply for them. All 4 clients currently have a static assignment in DHCP but even if I remove them all and do auto-assign for everything or even each one individually, the SL client will not get an address both on the Wifi and Ethernet (I have the USB ethernet adapter).
  I also have an Aiport Extreme and if I use that for the DHCP server then all clients get the addresses. I know the DHCP server in the extreme cannot be shut down but if you give the extreme a static address then assign dhcp on the extreme to only give out one address and that is the same one that is statically assigned then it "thinks" it is out of addresses and no longer tries to assign addresses
  At first I thought there was a conflict between the extreme and the Lion server but as I mentioned above, tcpdump clearly shows the requests going right to the Lion server
  I'm usually pretty good at this kind of thing but this one has me stumped. I'm thinking bug, anyone else run into this yet?

  Ryan jones,
  > Having trouble with our dhcp server handing out IP addresses through the
  > Wireless Lan Controller.
  Has it ever worked? Is the Wireless controller configured to forward DHCP
  requests to your DHCP server?
  Anders Gustafsson (NKP)
  The Aaland Islands (N60 E20)
  Have an idea for a product enhancement? Please visit:
  http://www.novell.com/rms

• New Subnet not handing out IP Addresses

  I have created a new subnet (10.168.64.x) on a Netware 6.5 server using DNS/DHCP Admin Tool.
  The old subnet (10.168.60.x) is running out of IP addresses but still functioning properly. The new subnet (10.168.64.0) is showing in DNS/DHCP but not handing out addresses.
  I have done all of the following-
  -Bound an IP address to the Server in the range of the new subnet (10.168.64.1)
  -Unloaded and Loaded DHCPSRVR
  Still no luck - What are some other steps I can take to get this new Subnet to hand out IP's?
  I loaded DHCPSRVR -d2 and got the following message - https://docs.google.com/document/d/1...it?usp=sharing
  Any help is appreciated!

  If you don't get any replies here, try the DNS/DHCP specialist forum
  https://forums.novell.com/novell-pro...dent/dns-dhcp/

• Server 2008 DHCP is handing out the wrong DNS server.

  We have two new 2008 DC that handles, DNS, DHCP and WINS. Our DHCP scopes have been migrated to these servers. We are seeing some random issues where clients are using the new dhcp server but the old dns server information is listed for the some systems. We discover this by using network monitor on the old DC, DNS, DHCP server.  Once the client performs a ipconfig /renew, the problem is corrected. Any ideas?

  Hi BrianAuH20,
  Thank you for posting here.
  Based on your description, I understand that your Windows 2008 DHCP server hands out the wrong DNS server address.
  To troubleshoot this issue, please perform the follow steps to see whether the clients retrieve the right DNS server address.
  1.     Temporarily make the old DC, DNS, DHCP server offline.
  2.     Check the new 2008 DHCP server setting.
                        i.        In the DHCP console tree, under Scope [172.16.0.0] SS Scope, right-click Scope Options, and then click Configure Options.
                       ii.        On the Advanced tab, verify that Default User Class is selected next to User class.
                      iii.        Select the 006 DNS Servers check box, in IP Address, under Data entry, type DNS Server IP address, and then click Add.
                      iv.        Select the 015 DNS Domain Name check box, in String value, under Data entry, type your domain's FQDN name, and then click OK.
  3.     Restart the DHCP service.
  For more information, you may refer to:
  http://technet.microsoft.com/en-us/library/ee404786(WS.10).aspx
  Hope this helps.
  Sincerely,
  Wilson Jia
  This posting is provided "AS IS" with no warranties, and confers no rights.

• AX does not hand out ip addresses in roaming mode

  I am trying to set up roaming network in my house using a Airport Extreme as the main router and a ethernet connected (via Powerline HD) Airport Express on the second floor of my house. I followed the usual instructions to set up the Airport Express to create wireless network in bridge mode.  The Express allows clients to connect and accepts the password but does not hand out ip addresses. so the roaming device (an ipad and an Air) end up with self-assigned addresses in the 169.*.*.* range.
  How do I correct this?
  option click on the Air wifi symbol shows that its corrected to the correct wifi base station
  Airport Utility sees both the main Extreme base station and the Express second floor base station, and neither reports any problems.
  Thanks.

  I am trying to set up roaming network in my house using a Airport Extreme as the main router and a ethernet connected (via Powerline HD) Airport Express on the second floor of my house. I followed the usual instructions to set up the Airport Express to create wireless network in bridge mode.  The Express allows clients to connect and accepts the password but does not hand out ip addresses.
  Actually, with the AirPort Express in bridge mode, the AirPort Extreme would be the router "handing out" the IP addresses as they would just be "passing through" the Express in this configuration.
  Let's double-check your roaming network configuration, just to be sure nothing was missed.
  Roaming Network Setup
  Ref: See page 42 of the Apple AirPort Networks guide.
  Setup the AirPort connected to the Internet to "Share a public IP address." Internet > Internet Connection > Connection Sharing: Share a public IP address
  Setup the remaining AirPorts, as bridges. Internet > Internet Connection > Connection Sharing: Off (Bridge Mode) For each AEBSn in the roaming network:
  For each base station:
  Connect to the same subnet of the Ethernet network.
  Provide a unique Base Station Name.
  The Network Name (SSID) should be identical.
  If using security, use the same security type (WEP, WPA, etc.) and password. Note: It is highly recommended that you use WPA2 Personal for best bandwidth performance.
  Make sure that the channel is set at least three channels apart from the next base station to prevent Wi-Fi interference.

• RDP using Smartcard fails with NLA for non-domain members

  We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate
  over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".
  My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and
  on the servers in the domains.
  What is necessary to get NLA with smart cards working for non-domain members?
  Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLA

  Hi,
  Thank you for posting in Windows Server Forum.
  If you use the credential SSP on Windows Vista or Windows 7 to log on with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel
  cannot be established without the root certification of the domain controller.
  You can use following command for adding certificate.
  certutil –addstore –enterprise NTAUTH <CertFile> 
  Where <CertFile> is the root certificate of the KDC certificate issuer.
  More information.
  Smart Card and Remote Desktop Services
  http://technet.microsoft.com/en-us/library/ff404286(WS.10).aspx
  Apart there is one Hotfix might resolve your case, go through beneath link once.
  RDS client computer cannot connect to the RDS server by using a remote desktop connection in Windows
  http://support.microsoft.com/kb/2752618
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• New 2008 R2 DHCP server will not hand out IP addresses

  We've recently migrated our Domain Controllers to 2008 R2, Virtual Machines. (DC3 & DC4).
  DC2 is an older 2003 box, 32 bit, set for retirement.  All former roles have been moved to DC3 & DC4, including FMSO roles, and the server (DC2) has been demoted.  The only service that remains on DC2 is DHCP.
  I've used NETSH to export / import the DHCP info to DC4.  All reservations have transferred ( Printers) and the scope shows "active" on DC4 and authorized, and running, but whenever I shut DHCP down on DC2, DC4 doesn't start handing out
  IP addresses to clients.
  Even after rebooting a client multiple times, running ipconfig /release & /renew, it never finds the new DHCP server, nor does the server show any client information in the address leases. (other than reserves)
  We have a Cisco ASDM deployed, but DHCP and DNS are both disabled on this device, so I'm not sure IP Helper would be an issue here.
  Since both my new DC's are 2008R2, do I need to elevate active directory up to 2008 function before DHCP will work?

  Hi,
  Is the issue resolved? As suggested by
  Wyatt Miller, you can check if it was caused by IP helper.
  In addition, is the new server authorized?
  Here is a migration guide for you:
  Migration of DHCP Server from Windows Server 2003 to Windows Server 2008
  http://blogs.technet.com/b/teamdhcp/archive/2009/02/18/migration-of-dhcp-server-from-windows-server-2003-to-windows-server-2008.aspx
  Hope this helps.

• WMI filtering / GPO for non domain members

  Hi all,
  Our customer make use of a Windows Server 2008 R2 RDS. We use some thin clients and win7 workstations to connect with it inside our domain.
  We had a policy for automatic screen lock and secure with password, but they doesnt want to use it anymore for the users who's working internally. So i disabled this policy.
  What they want is a policy for all homeworkers or users connecting from an internet cafe or something. So if they are not connecting from a specific subnet or domain, the screens have to lock automatically after a few minutes.
  Does anyone know how i can do this? Do i have to create a WMI filter for computers which are not domain members or do i have to do this for a specific subnet?
  Thanks!
  Kind regards, Raymond

  I thought I should clarify this based on your question:
  You say you want filtering based on "non-domain users".  Are you saying you have users connecting in that are not using AD accounts?  How are you doing this?  Are they using local accounts on the server?
  How are you allowing non-domain accounts to connect? Where are the accounts defined?
  Maybe you really are asking qabout domain users connecting from the WAN and not from the LAN.  Is that what you are trying to ask?
  ¯\_(ツ)_/¯

• WRE54g not handing out IP address to client systems

  This is probably a silly question, but I'll ask it anyways.
  We have a Linksys WRT54G ver6 running latest firmware revision 1.02.0 along with a WRE54G ver3 running firmware 3.01.01.
  Both devices are configured to use WPA-PSK security, and I have reconfirmed that the key is the same on both devices.
  The wireless router is connected to our existing wired network, and so the DHCP functionality of the router is disabled as we want wireless clients to get their IP address from our existing DHCP server on the wired network. This part works fine, wireless systems can connect to the wireless router and they are given an IP address from the range configured on our wired DHCP server.
  The range expander has been configured with the same SSID, and security settings as the wireless router. Wireless clients can see the SSID being broadcast by the range expander and they are able to connect to it, but they are not given an IP address.
  Is this because the range expander is expecting to receive the IP's from the DHCP server on the wireless router ( which is disabled ) and does not know anything about our existing wired DHCP server?
  Thanks.

  ok I knew this was going to be something silly.
  I tried disabling the wireless security on both devices and this allowed wireless clients to receive an IP address from the Range expander ( verified by the MAC address of the Access point the wireless clients were connected to ).
  So I rechecked the security settings again, the key was fine but the issue turned out to be that the wireless router was configured to use WPA2 while the range expander only seems to have support for WPA. Once I enabled WPA on the wireless router, the wireless clients were able to connect and receive their IP address via the Range expander.

• DHCP not giving out adresses

  Hi there,
  just upgraded from Lion Server to ML Server. I found that everything is runnign quite smooth here (OD Master with 800+ users, NetInstall, etc etc), but I have problems with my DHCP Service:
  As is written in Apple's KB Article, all the config files with my setup from Lion Server are still there and the service also is up and running, but my clients just won't get IPs and settings via DHCP. I also thought about firewall issues, but just as with DHCP, these settings were kept and are up and running. I've also found the tutorial from Krypted.com and read the other posts, but I really can't find the problem's source.
  Anybody here with similar problems?
  best whishes,
  Christian

  Thanks man! That's been it. Who would guess, that although they transfer all the settings when upgrading, the server is disabled

• Install SCCM on non-domain-membered server!

  Dear friends
  in my SCCM topology ,on perimeter side , i have server which i want install Primary server to receive updates from internet and give to other side primary server (like WSUS upstream/downstream scenario),but in perimeter i don't have any active directory
  infrastructure so i cant join server to domain(which is required by SCCM installation)...
  how can i implement this scenario?
  any help would be strongly appreciated+++

  I want one of my SCCM primary server's in LAN can access to A Server (i want install primary server but i cant) in Perimeter (which i dont have AD infra) and take updates and then deploy them to LAN.
  i think i can use one WSUS in the Perimeter Zone instead of Primary SCCM server!Right?

• Handing out wrong default gateway

  I'd like to add a WRT54g2 to my LAN. I'd like it to communicate with my existing LAN router, and not to talk directly to the LAN. Therefore, in Basic Setup, I don't have the top part (Internet Setup) configured. Is that a mistake?
  But, it seems that when I enable DHCP, it hands out its own IP as gateway, and then doesn't seem to send the traffic on upstream. When I configure clients manually with the real router IP, they work fine.
  So, I'd like, I guess, Linksys to forward traffic on a static route to real router. How do I do this? Adding a route to real router yields the error, "maybe default route already exists."
  Thanks!

  Only one router should have DHCP enabled, your first router is doing this.  Connect the 2nd router via cable to Lan-Lan,disable DHCP and set it's IP to 192.168.2.1.

• "Unable to check revocation" error while checking CDP from non-domain user account

  Hi!
  I use 3-tier PKI infrastructure:
  Stand-alone offline Root CA: RootCA;
  Stand-alone offline Intermediate subordinate CA: SubCA;
  Enterprise CA: EntSubCA.
  In certificate we have three CDP point for CRL check:
  ldap:///, http:// and file://
  I have Windows 2008 R2 server joined to domain.
  I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
  When I use domain user account for revocation checking, all OK.
  I have access to any CDP and all fine.
  But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
  My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
  Here is the logfile from local user:
  Issuer:
  CN=EntSubCA
  DC=DED
  DC=ROOT
  Subject:
  CN=servername.domain_name
  Cert Serial Number: 5a896145000300006ee2
  dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
  dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
  dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  NotBefore: 05.02.2015 20:03
  NotAfter: 05.02.2016 20:03
  Subject: CN=servername.domain_name
  Serial: 5a896145000300006ee2
  SubjectAltName: DNS Name=servername.domain_name
  Template: Machine
  70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crt
  ---------------- Certificate CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Verified "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  Verified "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Base CRL CDP ----------------
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  OK "Base CRL (018d)" Time: 0
  [1.0] file://\\ca\crl\EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [1.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [1.0.2] http://webserver/crl/EntSubCA.crl
  OK "Base CRL (018d)" Time: 4
  [2.0] http://webserver/crl/EntSubCA.crl
  Failed "CDP" Time: 0
  Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
  [2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
  Old Base CRL "Delta CRL (018d)" Time: 0
  [2.0.1] file://\\ca\crl\EntSubCA.crl
  Old Base CRL "Delta CRL (018d)" Time: 4
  [2.0.2] http://webserver/crl/EntSubCA.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 018d:
  Issuer: CN=EntSubCA, DC=DED, DC=ROOT
  33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=SubCA
  NotBefore: 13.11.2014 19:12
  NotAfter: 13.11.2017 19:22
  Subject: CN=EntSubCA, DC=DED, DC=ROOT
  Serial: 6109015b000100000008
  Template: SubCA
  9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Failed "AIA" Time: 0
  Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
  file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
  Verified "Certificate (0)" Time: 0
  [1.0] file://\\ca\crl\SubCA.crt
  Verified "Certificate (0)" Time: 4
  [2.0] http://webserver/crl/SubCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (32)" Time: 0
  [0.0] file://\\ca\crl\SubCA.crl
  Verified "Base CRL (32)" Time: 4
  [1.0] http://webserver/crl/SubCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 32:
  Issuer: CN=SubCA
  8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
  CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 28.05.2008 12:09
  NotAfter: 28.05.2058 12:19
  Subject: CN=SubCA
  Serial: 616bd19f000100000004
  Template: SubCA
  06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 4
  [0.0] http://webserver/crl/RootCA.crl
  Verified "Base CRL (1c)" Time: 0
  [1.0] file://\\ca\crl\RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=RootCA
  NotBefore: 27.05.2008 16:10
  NotAfter: 27.05.2110 16:20
  Subject: CN=RootCA
  Serial: 258de6fbd3bbab92460530e9e9f10536
  5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crt
  Verified "Certificate (0)" Time: 4
  [1.0] http://webserver/crl/RootCA.crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (1c)" Time: 0
  [0.0] file://\\ca\crl\RootCA.crl
  Verified "Base CRL (1c)" Time: 4
  [1.0] http://webserver/crl/RootCA.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 1c:
  Issuer: CN=RootCA
  dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
  Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
  Exclude leaf cert:
  5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
  Full chain:
  ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
  Verified Issuance Policies: None
  Verified Application Policies:
  1.3.6.1.5.5.7.3.2 Client Authentication
  1.3.6.1.5.5.7.3.1 Server Authentication
  ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
  CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
  CertUtil: -verify command completed successfully.

  What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
  (you also use FILE URLs for publication, which again is not recommended).
  The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
  For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
  an internally and externally accessible, highly available Web cluster.
  the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
  certutil -dspublish -f RootCA.crt.
  This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
  Brian

• DHCP Server is not passing out DHCP Leases

  I can't seem to figure out why DHCP server is not passing out DHCP lease a client?
  Also I can't seem to figure out why NVI0 interface is UP? I have setup another box similarly and NVI0 is down on that and the DHCP server is working fine on that too. Strange!
  I am working on CISCO 881 VPN Router...Please have a look at it and let me know. Thanks
  Here is the configuration in the box...
  sh run
  Building configuration...
  Current configuration : 6543 bytes
  ! Last configuration change at 17:09:54 CST Fri Sep 14 2012 by XXXXX
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname XXXXX
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login default local
  aaa authentication login vpn_xauth_ml_1 local
  aaa authentication login sslvpn local
  aaa authorization network vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone CSTime -6
  clock summer-time CST recurring
  crypto pki trustpoint TP-self-signed-3079619067
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3079619067
  revocation-check none
  rsakeypair TP-self-signed-3079619067
  crypto pki certificate chain TP-self-signed-3079619067
  certificate self-signed 01
    30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33303739 36313930 3637301E 170D3132 30393134 31393231
    32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30373936
    31393036 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100993C D622004B F3AEA1E5 81106C28 36EC52D0 5435ABC3 8912095F 3641168A
    B67D97AF AEB43CF3 00A00EB5 702FA355 9F58EBEF F42294DC 0E32CF40 E17D372A
    3BC36401 55EDBA5C 910B7A51 89D709A8 7EAB3FF0 E4C99D34 CBE3F316 069C0E16
    BC284055 35E3D762 463DABF6 852C4E7A D2EF45A4 21F08689 4DF17870 9E2A6C27
    1BFB0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
    551D1104 1E301C82 1A506F70 6C617276 696C6C65 2E796F75 72646F6D 61696E2E
    636F6D30 1F060355 1D230418 30168014 64EA4CAE 2029E4C2 702584C6 B5732464
    5C9DA38A 301D0603 551D0E04 16041464 EA4CAE20 29E4C270 2584C6B5 7324645C
    9DA38A30 0D06092A 864886F7 0D010104 05000381 81006C27 96E06B83 04DBDA81
    EEB0AF35 84ED370E A8C9694E F9B9326D 69CB1043 9C396D7B 760D252F 4881926D
    878E434F 9AFC3E6D A5BF43F2 E619D6EC F45C039A 5FFB478F A99F7EE5 274E37D5
    11976FDE 823FD1A9 700203E5 67A329B3 F4CF45F0 245757C8 E2349276 B13414D1
    017616FA 38A40BA8 42545AC5 C7676D21 29E4F491 CADB
          quit
  ip source-route
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.1.1 192.168.100.101
  ip dhcp excluded-address 192.168.1.254
  ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1
     lease 0 2
  ip dhcp pool Internal_Network
     network 192.168.1.0 255.255.255.0
     dns-server 192.168.100.254
     default-router 192.168.1.254
  ip cef
  ip domain name yourdomain.com
  ip name-server 192.168.100.254
  no ipv6 cef
  license udi pid CISCO881-K9 sn FTX1604828T
  username XXXXX privilege 15 secret 5 $1$QEcR$96cmvs/h/.05G6BnorcWG/
  username XXXXX secret 5 $1$PQQ1$3.Vin0i/2uZ/KD0xEJ8GC.
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group YYYYYYY
  key XXXXX_XXXXX_XXXXX
  pool VPN-Pool
  acl VPN-Access-List
  crypto isakmp profile vpn-isakmp-profile-1
     match identity group YYYYYYY
     client authentication list vpn_xauth_ml_1
     isakmp authorization list vpn_group_ml_1
     client configuration address respond
     virtual-template 2
  crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
  crypto ipsec profile VPN-Profile-1
  set transform-set encrypt-method-1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description WAN_INTERFACE
  ip address 192.168.100.3 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface Virtual-Template2 type tunnel
  ip unnumbered FastEthernet0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VPN-Profile-1
  interface Vlan1
  description VLAN1_INTERFACE
  ip address 192.168.1.254 255.255.255.0
  no ip redirects
  no ip unreachables
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  ip local pool VPN-Pool 192.168.1.151 192.168.1.200
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 100 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.1.100 21 192.168.100.3 21 extendable
  ip nat inside source static tcp 192.168.1.100 80 192.168.100.3 80 extendable
  ip route 0.0.0.0 0.0.0.0 192.168.100.254
  ip access-list extended VPN-Access-List
  permit ip 192.168.1.0 0.0.0.255 any
  permit tcp host A.B.C.D host 192.168.1.100 eq ftp
  permit tcp host A1.B1.C1.D1 host 192.168.1.100 eq ftp
  permit tcp host A2.B2.C2.D2 host 192.168.1.100 eq ftp
  permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.100 eq ftp
  permit tcp host A3.B3.C3.D3 host 192.168.1.100 eq ftp
  permit tcp any host 192.168.1.100 eq XXX
  access-list 23 permit 10.10.10.0 0.0.0.7
  access-list 23 permit 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  no cdp run
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner motd ^C XXXXX-XXXXX VPN Router ^C
  line con 0
  exec-timeout 30 0
  logging synchronous
  no modem enable
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  password 7 124A50424A5E5550
  transport input telnet ssh
  scheduler max-task-time 5000
  end

  Hi Jennifer,
  I have gotten it resolved. Per your suggestion, I have turned on debug ip dhcp events and found that POOL EMPTY message. After little research, I found out that I have made a mistake in my excluded-address range.
  I have had it as 
  ip dhcp excluded-address 192.168.1.1 192.168.100.101
  It should have been
  ip dhcp excluded-address 192.168.1.1 192.168.1.101.
  It was a typo.
  Thank you for the suggestion.
  Srini