Installing Domain Controller certificates remotely - private key remains on local server!
Using a 3rd party CA (Entrust), I have successfully requested and installed Domain Controller certificates via the Certificates MMC snap-in.
I did this from one Domain Controller, and then just used the (right click) "Connect to another computer" option to do the rest. Everything looks absolutely fine, the certificates look ok.... certificate chain is complete, and valid (all
CA certs are installed) and the certificates say "You have the private key that corresponds to this certificate".
If I do a LDAPS bind using LDP.exe, it works fine on the first DC.
Do this on the next and I get the error:
Cannot open connection
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DCHostname.
After some checking I looked in the folder C:\ProgramData\Microsoft\Crypto\Keys
This contains a lot of files on the DC I was logged onto when installing the certs, and no files on any of the other DCs. I am guessing this is the private key file and it has stored all of them on the local machine I was running MMC from rather than
on the machines I connected to from MMC.
Is there any way to get these keys onto the correct DCs now - or will I have to re-request all of the others. The private key was not exportable.
I figured copying and pasting them was probably not going to work with a private key, but I tried it anyway just to be sure!
It is pretty annoying as no clue was given during the process of requesting and installing the certificates, and there is no error when you look at the certificate - they all think they have the private key associated to them, even though it rather looks
like they don't!
It's a bit painful requesting certificates here, so any help in avoiding this would be appreciated! Thank you
Thank you Elke,
So I copied the key files across from the server where they were all generated to the server I remotely connected to (which had no key files at all). Copied all just to be sure, though I’m
pretty sure which one actually relates to that server as I did them all in order - reflected by the time stamps.
Ensured all the permissions were the same, and that they were marked as ‘system’ files.
Ran the command
certutil -repairstore my [SerialNumber of cert]as
you suggested, but no luck unfortunately.
So firstly, I get the same error message:
Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
And then I get:
CertUtil: Access denied.
Not sure why the access denied, I am running elevated with full local and domain administration rights.
Toby
Similar Messages
-
Windows Domain Controller certificate for non domain clients
Hi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
RegardsHi,
Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?
Not sure that what you want to achieve here.
However, yes, it is possible to export certificates (with private keys) from domain machines then import them to non-domain machines, and some certificates can even function well based on key usages. Please note that Domain Controller certificates are only
meaningful to Domain Controllers. Possession of domain certificates doesn’t indicate machines are part of domain.
Without joining a machine to a domain (or without a trust), the machine is always treated as untrusted by the domain members no matter what kind of certificates it holds.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Install Domain Controller, Active Directory, RemoteApps on Single Server?
Have a server that I want to experiment with RemoteApps. Documentation I have read state you need to have a Domain Controller setup with AD on one server, and have a second server to install all the RemoteApps requirements. Is this true or can
this all be done on one server.
If I need a separate server for the Domain Controller and Active Directory, can I assume that a low end server would be sufficient? Or would using Hyper-V with a single hardware server and create two virtual machines: one as the DC/AD, and the other
to run Remote Apps be a possible solution. Any advice?it really depends to be honest. I'd probably go something like this though:
One Small physical server to act as a domain controller - you could put DHCP on this too
One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined.
Then for your VM's create the following:
1 x additional domain controller
For remote desktop services:
1 x Remote Desktop Session Host
1 x Connection Broker
1 x Gateway and web server
For additional services
1 or 2 x Exchange
1 x sharepoint
1 x IIS
but it really depends what you want to achieve.
The benefit from Virtual machines is that you can keep separate virtual servers for separate applications.
If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance.
Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn: -
SELFSSL.exe - can you create a Domain Controller certificate?
As the title asks really. Rather than setting up CA's, can you use selfssl.exe to create domain controller certificates?
if you are not using certificates, then why not just delete certificates that cause warnings? Old trusted CA can be propagated from active directory. See this article:
http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
you need to perform only step 6 and 7.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
I have DHCPand DNS services in a router and I want to install domain controller
Hello
I have a sonic wall router managing the DHCP and DNS services for a my network and wanna keep it doing this.
I have a computer running windows server 2012 standard and installed active directory along with DNS. I also went to the DNS manager of these server and forwarded the DNS addresses of my router. For some reason I'm not able to join a client computer
into the DC.
I got this error:
An Active directory domain controller (AD DC) for the domain "mydomain.ca" could not be contacted.
Is it possible to configure active directory using the DNS and DHCP services of my router? or Am I doing something wrong?
Can somebody helping me with this matter?
Thanks.Hello,
if the DNS server on your router is able to provide all required zones, SRV records and options that the DCs require there is no problem using 3rd party DNS servers.
But I would recommend that you u se the DC as DNS server also and just run the installation during the promotion process.
All clients MUST use the domain internal DNS servers on the NIC NONE else otherwise you will run into trouble. Internet access will be done via the FORWARDERS on the DNS server properties in the DNS management console on the Windows Server.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
I have a small computer with just an embedded drive instead of a sata port. It seemed perfect for a small domain controller, since it has 32G's which is more than enough space, and with a gigabit Ethernet, and 1.6Ghz dual core cpu, seemed more than enough
for what I needed.
Windows 2012, or Windows Server Technical Preview, both install fine on it, but when I run dcpromo to create the domain It fails on selecting the location for files. The error is that the path is not a hard drive. The machine only has USB ports so I can't
add a SATA drive just to store these logs/configs, even if I wanted to.
The actual computer I was trying to use: http://www.ecs.com.tw/LIVA/
Thanks for any help.On the Windows Server Technical Preview,
Install-ADDSForest -SkipPreChecks -DomainName DOMAIN.CONTOSO.COM -DomainMode Win2008 -ForestMode Win2008R2 –DatabasePath "C:\Windows\NTDS" –SYSVOLPath "C:\Windows\NTDS" –LogPath "C:\Windows\NTDS\Logs"
gives me the error "No NTFS 5 drives exit." (note exit, not exist)
I'll reinstalling windows 2012 and see if I get a different message there.
This was just a standard install, so the drive is definitely NTFS. -
Domain Controller deletes user account settings and applications - windows server 2012
once in a month, when the user logs into his account, his settings and some applications get deleted. he has to install the outlook again, dropbox gets deleted, setting on the desktop disappears (files are still there) etc
I am not sure about the cause or the solution. please let me know what i can do to fix thisHi,
All the user has the same issue?
Did the issue occur when you log into the Domain Controller?
Any event id in event viewer?
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How to install a root certificate of private CA for SSL initiation in ACE 4710 ?
Hello ACE Gurus,
We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server : we want to use self-issued certs signed by our private CA.The topology looks like this :
Internet Client ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
Thanks for the help!
Alex.Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier -
Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site
So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2. Here is my scenario:
1. I want to setup the domain controller at Site A where the primary domain controller is located. The primary domain controller is Windows Server 2008 R2.
2. Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
Other key items:
1. The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel. All the DCs that replicate with each other are on the same domain.
2. The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
Questions:
1. What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller? Can I setup a scope once the DHCP role is added?
2. All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B? Or when does this happen automatically when I promote the DC?
All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide. Any help would be appreciated.Hi,
Thanks for your posting.
When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
For more and detail information, please refer to:
Best Practices for Adding Domain Controllers in Remote Sites
http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
Regards.
Vivian Wang -
Installing Exchange on a domain controller?
We are very small business firm like less than 10 people. I planning to setup new server. Initially I thought install AD, DNS, DHCP, DC and Exchange on same server. Microsoft not recommending all in my server
Installing Exchange on a domain controller is not recommended.
So give me suggestion, Is it OK install everything on server for small company like us? or
create 1 virtual and install Exchange on that server and rest will be on base?.
ItsMeSri SP 2013 FoundationHi,
It is not recommended to install Exchange server on a domain controller. You can create a virtual Exchange server, there is a lot of planning that goes into constructing a virtualized Exchange infrastructure, with the primary consideration being hardware
allocation and fault tolerance. Concerning these factors will guide you to a solid and reliable infrastructure.
For more information, here is a blog for your reference.
Microsoft Exchange 2010: Establishing a Virtual Exchange 2010 Datacenter (Note: Though it is Exchange 2010, it is also helpful to Exchange 2013 about this issue)
https://technet.microsoft.com/en-us/magazine/hh641416.aspx
Hope this can be helpful to you.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Amy Wang
TechNet Community Support -
What happens if Domain Controller server authentication certificate expires?
Dear People,
We have got two Domain controller servers and accordingly two Azman servers. we
have got two certificates issued for each Domain controllers to our two Azman servers. Both these certificates are going to expire in next few days. We have few Web
& Desktop applications for which we authorize a large pool of users with the help of these two Azman servers.
Now, Issue is, Domain Controller certificates are going to expire soon on both Azman servers. Can somebody tell me, what could be impact of expiration of these certificates?
will all the application be down after that? Should I must go for renewal of certificates? Please help me as soon as possible otherwise I will be in big trouble. Thanks.Hi,
Based on my research, Domain Controller Authentication certificate is used for client authentication, server authentication and smart card logon.
You need to renew the certificates before they expire, otherwise problems about smart card logon and SSL connection will occur.
More information for you:
Processing Domain Controller Certificates
http://technet.microsoft.com/en-us/library/cc787009(v=WS.10).aspx
Best Regards,
Amy -
NAC and SSL - fails to import password protected private key
I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
Is there a command line option for importing a private key that may work for me?
Thanks
ShermThe best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
Regards
sathappan -
Behaviour of checking Allow administrator interaction when the private key is accessed by the CA ?
Setting up a new standalone root CA what is impact of selecting 'Allow administrator interaction when the private key is accessed by the CA' ? not sure yet if we will be using a HSM module (which I know is a valid reason for selecting). I don't
want to limit our future options by not selecting this. Is there any impact to selecting this if we end up not using CSP / HSM ? and can the value be changed easily once the Root CA is installed ?This checkbox enables private key strong protection. This means that you will have to enter administrator password or confirm action each time private key is used. It will be used each time when new certificate/crl is issued. And when service starts. If
you are using HSM, you should consult with HSM documentation to determine whether your HSM requires this setting. As you don't use HSM by now, then you should not enable this checkbox, because you won't see any prompt dialog on server core.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new:
PowerShell FCIV tool. -
Event ID 13568 With Only One Domain Controller
I had two domain controllers in an SBS 2003 domain. The very first installed domain controller died. So I seized the FSMO roles and eventually removed it from the domain by cleaning up the metadata. I told my bosses that we
really needed a new server so that there would be a replication of the AD but no go.
Now, I am getting the 13568 Event ID error on the remaining Windows Server 2003 domain controller that has the SBS Active Directory. This error requires a restore of Active Directory from system state (of which I do have a backup). I eventually
fixed the dead server and was wondering if I could install SBS 2003 to this server and then restore AD to it from the system state backup.
If that is possible, then how do I do it and how do I get this server back into the domain so that the existing DC takes its AD and replicates it to itself.
Please let me know if I have not been clear. Susan E. RusselHi,
Event ID 13568 indicates the replica set is in Journal wrap error state, to resolve this, no need to restore AD from backup. This error occurs if a sufficient number of changes that occur while FRS is turned off in such a way that the last USN change that
FRS recorded during shutdown no longer exists in the USN journal during startup. The risk is that changes to files and folders for FRS replicated trees may have occurred while the service was turned off, and no record of the change exists in the USN journal.
To guard against data inconsistency, FRS asserts into a journal wrap state.
What happens in a Journal Wrap? : http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx
Journal Wrap error resolution: http://adfordummiez.com/?p=61
Regards,
Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA -
Adding second domain controller in Windows server 2012 R2
Hello, our primary domain controller is currently on a machine that has Windows Server 2008 R2 Standard. We are planning to setup a second domain controller as a failover to our primary domain controller. My question is, can we have a secondary domain
controller on a Windows Server 2012 R2 even if our primary domain controller is on a machine that has Windows Server 2008 R2?I think I found the answer to my question.
http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx
"In Windows Server 2012, Adprep.exe is integrated into the AD DS installation process and runs automatically as needed. For example, when you install the first domain controller that runs Windows Server 2012 into an existing domain and forest, then adprep
/forestprep and adprep /domainprep automatically run and report the results of the operations.
Some organizations may prefer to run Adprep.exe separately in advance of an AD DS installation. For this reason, Adprep.exe is also included in the \Support\Adprep folder of the operating system disk.
In Windows Server 2012, there is only one 64-bit version of Adprep.exe. It can be run remotely from any server that runs a 64-bit version of Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012. The computer where you run it can be either
domain-joined or in a workgroup.
The version of Adprep.exe in Windows Server 2012 includes new syntax and parameter options in order to run it remotely. For more information, see
Adprep."
For more information about the objects and containers that are created when the schema is extended to support Windows Server 2012, see
Windows Server 2012: Changes to Adprep.exe.
Maybe you are looking for
-
I recently installed Acrobat X Pro on a MacBook Pro. No printer was installed in that process. How do I install the Adobe PDF printer?
-
TS3988 I am trying to set up iCloud but I have spelled it wrong, what can I do?
Can you please help me - my e-mail is *****@btinternet.com but when setting up my iCloud account I have put *****@icloud.com I need to change my iCloud name <Email Edited by Host>
-
IDoc for message type WMPIHU (Creating Pick HUs)
Hi, does anyone know the structure of the IDoc for the WMPIHU message type? Is specified by the WM-LSR interface but it's not listed into the "Interface Between the WMS and External Systems" document. Thanks Michele
-
How do I disable video (w/built-in isight) on gmail chat?
I have a macbook with a built in isight and am finding it impossible to disable the video on my gmail chat. Please help!
-
Opening raw files via Lightroom
I have just installed PS CC tonight. I have been sitting here for an hour trying to figure out why I can't figure out how to open my image in RAW. I have been using PSE 12 since November and in that program you just go to file and select OPEN IN CA