PKI CA CLUSTER CRL PUBLICATION FAILURE

Similar Messages

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate

• Hyper-V guest SQL 2012 cluster live migration failure

  I have two IBM HX5 nodes connected to IBM DS5300. Hyper-V 2012 cluster was built on blades. In HV cluster was made six virtual machines, connected to DS5300 via HV Virtual SAN. These VMs was formed a guest SQL Cluster. Databases' files are placed on
  DS5300 storage and available through VM FibreChannel Adapters. IBM MPIO Module is installed on all hosts and VMs.
  SQL Server instances work without problem. But! When I try to live migrate SQL VM to another HV node an SQL Instance fails. In SQL error log I see:
  2013-06-19 10:39:44.07 spid1s      Error: 17053, Severity: 16, State: 1.
  2013-06-19 10:39:44.07 spid1s      SQLServerLogMgr::LogWriter: Operating system error 170(The requested resource is in use.) encountered.
  2013-06-19 10:39:44.07 spid1s      Write error during log flush.
  2013-06-19 10:39:44.07 spid55      Error: 9001, Severity: 21, State: 4.
  2013-06-19 10:39:44.07 spid55      The log for database 'Admin' is not available. Check the event log for related error messages. Resolve any errors and restart the database.
  2013-06-19 10:39:44.07 spid55      Database Admin was shutdown due to error 9001 in routine 'XdesRMFull::CommitInternal'. Restart for non-snapshot databases will be attempted after all connections to the database are aborted.
  2013-06-19 10:39:44.31 spid36s     Error: 17053, Severity: 16, State: 1.
  2013-06-19 10:39:44.31 spid36s     fcb::close-flush: Operating system error (null) encountered.
  2013-06-19 10:39:44.31 spid36s     Error: 17053, Severity: 16, State: 1.
  2013-06-19 10:39:44.31 spid36s     fcb::close-flush: Operating system error (null) encountered.
  2013-06-19 10:39:44.32 spid36s     Error: 17053, Severity: 16, State: 1.
  2013-06-19 10:39:44.32 spid36s     fcb::close-flush: Operating system error (null) encountered.
  2013-06-19 10:39:44.32 spid36s     Error: 17053, Severity: 16, State: 1.
  2013-06-19 10:39:44.32 spid36s     fcb::close-flush: Operating system error (null) encountered.
  2013-06-19 10:39:44.33 spid36s     Starting up database 'Admin'.
  2013-06-19 10:39:44.58 spid36s     349 transactions rolled forward in database 'Admin' (6:0). This is an informational message only. No user action is required.
  2013-06-19 10:39:44.58 spid36s     SQLServerLogMgr::FixupLogTail (failure): alignBuf 0x000000001A75D000, writeSize 0x400, filePos 0x156adc00
  2013-06-19 10:39:44.58 spid36s     blankSize 0x3c0000, blkOffset 0x1056e, fileSeqNo 1313, totBytesWritten 0x0
  2013-06-19 10:39:44.58 spid36s     fcb status 0x42, handle 0x0000000000000BC0, size 262144 pages
  2013-06-19 10:39:44.58 spid36s     Error: 17053, Severity: 16, State: 1.
  2013-06-19 10:39:44.58 spid36s     SQLServerLogMgr::FixupLogTail: Operating system error 170(The requested resource is in use.) encountered.
  2013-06-19 10:39:44.58 spid36s     Error: 5159, Severity: 24, State: 13.
  2013-06-19 10:39:44.58 spid36s     Operating system error 170(The requested resource is in use.) on file "v:\MSSQL\log\Admin\Log.ldf" during FixupLogTail.
  2013-06-19 10:39:44.58 spid36s     Error: 3414, Severity: 21, State: 1.
  2013-06-19 10:39:44.58 spid36s     An error occurred during recovery, preventing the database 'Admin' (6:0) from restarting. Diagnose the recovery errors and fix them, or restore from a known good backup. If errors are not corrected or expected,
  contact Technical Support.
  In windows system log I see a lot of warnings like this:
  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
    <Provider
  Name="Microsoft-Windows-Ntfs" Guid="{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}" />
    <EventID>140</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000008</Keywords>
    <TimeCreated
  SystemTime="2013-06-19T06:39:44.314400200Z" />
    <EventRecordID>25239</EventRecordID>
    <Correlation
  />
    <Execution
  ProcessID="4620" ThreadID="4284" />
    <Channel>System</Channel>
    <Computer>sql-node-5.local.net</Computer>
    <Security
  UserID="S-1-5-21-796845957-515967899-725345543-17066" />
    </System>
  - <EventData>
    <Data Name="VolumeId">\\?\Volume{752f0849-6201-48e9-8821-7db897a10305}</Data>
    <Data Name="DeviceName">\Device\HarddiskVolume70</Data>
    <Data Name="Error">0x80000011</Data>
    </EventData>
   </Event>
  The system failed to flush data to the transaction log. Corruption may occur in VolumeId: \\?\Volume{752f0849-6201-48e9-8821-7db897a10305}, DeviceName: \Device\HarddiskVolume70.
  ({Device Busy}
  The device is currently busy.)
  There aren't any error or warning in HV hosts.

  Hello,
  I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.
  Thank you for your understanding and support.
  Regards,
  Fanny Liu
  If you have any feedback on our support, please click 
  here.
  Fanny Liu
  TechNet Community Support

• Cluster  3.2 failure retry time

  Dear All,
  I have messaging sever 7 in a cluster, however, for some reasons after so many watcher crashes, the cluster didn't restart the messaging resource.
  I am wondering if there is a retry timeout, or retry number of times.
  Would anyone please let me know if there are such options? If so, how to set them?
  Regards,
  Scotty

  Hi Scotty,
  if you want an indefinite restart, you can ser retry_count to -q. However I would recommend not to do that. Think about a cyclic failure, like after 10 seconds yor messaging server does not react to the probe any more and a restart is submitted. In this cases you will find it hard to interact.
  The retry count is a safety feature which prevents such reconfiguration storms.
  My suggestion is to set it to a fair number.
  So Retry_count * Thorough_probe_interval needs to be smaller than Retry_interval If the default number seems to small, increase it.
  The command is:
  clrs set -p retry_count=<new value> <your resource name>
  Cheers
  Detlef

• Cluster point of failure

  I'm trying to setup an environment where if my primary web server goes down then request will be sent to the backup. I think clustering can help me here but my fear is that I have a single point of failure on the managing server. If i have a cluster is one machine managing all traffic? and if that machine were to go down my entire site would be down. Any suggestion at how to handle this at the router level would be appreciated also.
  Scott

  I'm not sure I understand your question completely.
  You can certainly run multiple managed servers and/or a cluster of managed servers to give you some redundancy.
  You can run multiple physical and/or virtual machines.
  You can run multiple sites etc for disaster recovery.
  I can't recall a site I've visited in a long time that didn't do all of these.
  Was there a specific question you had about HA or failure scenarios?
  -- Rob
  WLS Blog http://dev2dev.bea.com/blog/rwoollen/

• Solaris Cluster Private Link Failure

  Hi,
  I have configured Solaris Cluster 3.3 and add two Back to Back interconnect cable.
  Sun Cluster is working fine but private link is fail and i can not ping the clusternode2-priv and clusternode1-priv form each other. some cammands faile
  ~ # ping clusternode2-priv
  no answer from clusternode2-priv
  ~ # metaset -s nfsds -a -h t1u331 t1u332
  metaset: 172.16.4.1: metad client create: RPC: Rpcbind failure
  ~ # scstat
  -- Cluster Nodes --
  Node name Status
  Cluster node: n1u332 Online
  Cluster node: n1u331 Online
  -- Cluster Transport Paths --
  Endpoint Endpoint Status
  Transport path:   n1u332:nxge2           n1u331:nxge2           Path online
  Transport path:   n1u332:nxge1           n1u331:nxge1           Path online
  -- Quorum Summary from latest node reconfiguration --
  Quorum votes possible: 3
  Quorum votes needed: 2
  Quorum votes present: 3
  -- Quorum Votes by Node (current status) --
  Node Name Present Possible Status
  Node votes: n1u332 1 1 Online
  Node votes: n1u331 1 1 Online
  -- Quorum Votes by Device (current status) --
  Device Name Present Possible Status
  Device votes: /dev/did/rdsk/d4s2 1 1 Online
  -- Device Group Servers --
  Device Group Primary Secondary
  -- Device Group Status --
  Device Group Status
  -- Multi-owner Device Groups --
  Device Group Online Status
  -- Resource Groups and Resources --
  Group Name Resources
  -- Resource Groups --
  Group Name Node Name State Suspended
  -- Resources --
  Resource Name Node Name State Status Message
  -- IPMP Groups --
  Node Name Group Status Adapter Status
  [root @ n1u332]
  ~ # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  e1000g0: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 2
  inet 0.0.0.0 netmask 0
  ether 0:15:17:e3:a4:e8
  vsw0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3
  inet 10.131.58.76 netmask ffffff00 broadcast 10.131.58.255
  groupname ipmp-grp
  ether 0:14:4f:f9:1:bd
  vsw0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
  inet 10.131.58.75 netmask ffffff00 broadcast 10.131.58.255
  vsw1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 4
  inet 10.131.58.77 netmask ffffff00 broadcast 10.131.58.255
  groupname ipmp-grp
  ether 0:14:4f:fb:44:4
  nxge1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 7
  inet 172.16.0.129 netmask ffffff80 broadcast 172.16.0.255
  ether 0:14:4f:a0:81:d9
  nxge2: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 6
  inet 172.16.1.1 netmask ffffff80 broadcast 172.16.1.127
  ether 0:14:4f:a0:81:da
  clprivnet0: flags=1009843<UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,PRIVATE,IPv4> mtu 1500 index 8
  inet 172.16.4.1 netmask fffffe00 broadcast 172.16.5.255
  ether 0:0:0:0:0:1
  [root @ n1u332]
  ~ # dladm show-dev
  vsw0 link: up speed: 1000 Mbps duplex: full
  vsw1 link: up speed: 1000 Mbps duplex: full
  e1000g0 link: down speed: 0 Mbps duplex: half
  e1000g1 link: up speed: 1000 Mbps duplex: full
  e1000g2 link: unknown speed: 0 Mbps duplex: half
  e1000g3 link: unknown speed: 0 Mbps duplex: half
  nxge0 link: up speed: 100 Mbps duplex: full
  nxge1 link: up speed: 1000 Mbps duplex: full
  nxge2 link: up speed: 1000 Mbps duplex: full
  nxge3 link: up speed: 100 Mbps duplex: full
  e1000g4 link: unknown speed: 0 Mbps duplex: half
  e1000g5 link: up speed: 1000 Mbps duplex: full
  clprivnet0              link: unknown   speed: 0     Mbps       duplex: unknown
  Edited by: 808696 on Mar 2, 2011 8:27 AM

  If your private interconnect had really failed then one or other of the cluster nodes would have panicked. I think it is more likely that either you have changed the nsswitch.conf entry for hosts such that it does not include 'cluster' first, although I would have expected that to result in an unresolved host name. The other option is that you have hardened your machine in some way with ipfilters or security settings.
  Has it ever worked?
  Tim
  ---

• Implications of having a high CRL publication interval

  Hello
  We have a 2 tier internal CA structure
  One of my regular tasks is to check the CAs for expired certificates or expired CRLS
  The Root CA as well as the issuing CAs have CRL published intervals set to 6 months for both the Full and Delta CRL list (these are offline)
  Their respective CRLS have all but a handful of revoked certificates
  The Subordinate CA seems to do all of the work relating to issuing and revoking certificates. Its CRL is quite large and has an interval set of 1 Week for the Full CRL and 2 hours for the Delta
  Today I checked the CRL and it was set to expire this Sunday
  What would be the implications if I let this CRL expire?. Would it renew / republish itself automatically?
  I published it manually just in case; but it got me thinking about what the implications would be if I set the renewal period higher for the CRL?
  We have a regular task of powering on the offline CAs and re-publishing their CRLs / certificates before they are set to expire. I suspect that the online servers would be able to do this themselves?

  it depends on a number of factors and each approach has its own pros and cons. For example, by having a long-living CRL, you reduce network traffic used by clients to download and fetch CRLs. However reaction time (to recognize certificate as revoked)
  is slow. For enough long time revoked certificate will be accepted by clients as valid. By having short-living CRL you reduce reaction time and clients more timely determine recently revoked certificate as revoked. However, this approach increases CRL traffic,
  because CRL is short-living and shall be downloaded by clients more frequently.
  As a general practice, offline CAs (usually, root and policy) that issue certificates only to other CAs and never issue certs to end entities may have long-living CRL. About 6-12 months, because CA revocation is something unlikely because of high security
  measures (strict physical and remote access, HSM and so on). Online CAs that issue certificates to end entities should have short-living CRLs, because client certificates are less protected and revocation is not something unusual. Default value for Windows
  CAs is 1 week. You should think this like a start point and configure CRL lifetime comparable to this value.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• BO 4 Publication Failure

  Hello,
  We are trying to use publication of WEBI report with dynamic recipient list. Both the published report and the recipient list are built upon Bex Query.
  When we schedule the publication it fails with the error:
  2012-01-08 17:37:06,817 INFO  [PublishingService:RunInstancePool-13] BusinessObjects_PublicationAdminLog_Instance_9684 - [Publication ID # 9684] - Running publication instance.
  2012-01-08 17:37:06,869 INFO  [PublishingService:RunInstancePool-13] BusinessObjects_PublicationAdminLog_Instance_9684 - [Publication ID # 9684] - The global delivery rule for this publication was met; publication processing will now begin.
  2012-01-08 17:37:35,561 ERROR [PublishingService:HandlerPool-4] BusinessObjects_PublicationAdminLog_Instance_9684 - [Publication ID # 9684] - Distribution to destination CrystalEnterprise.Smtp (To: XXX  )  failed. Recipient: XXX, Document Scope: Formatting Sample : 9701 (Excel) : (OR (AND )). Destination disabled. [[] ([1]/[2])]: [].  Please note the name of the job server used for your request and contact your system administrator to make sure the specified destination is enabled. (FWB 00031) (FBE60013)
  2012-01-08 17:37:35,562 ERROR [PublishingService:HandlerPool-4] BusinessObjects_PublicationAdminLog_Instance_9684 - [Publication ID # 9684] - Distribution to destination CrystalEnterprise.Smtp (To: YYY )  failed. Recipient: YYY, Document Scope: Formatting Sample : 9701 (Excel) : (OR (AND )).  (FBE60013)
  2012-01-08 17:37:35,780 INFO  [PublishingService:RunInstancePool-13] BusinessObjects_PublicationAdminLog_Instance_9684 - [Publication ID # 9684] - Publication scheduling complete.
  Please Help,
  Amir

  Hi Amir,
  Can you let me know what is the patch level of the BI 4.0 server?
  If the source report is scheduled individually does it succeed, can it be viewed on demand?
  This error:
  2012-01-08 17:37:35,561 ERROR PublishingService:HandlerPool-4 BusinessObjects_PublicationAdminLog_Instance_9684 - Publication ID # 9684 - Distribution to destination CrystalEnterprise.Smtp (To: XXX ) failed. Recipient: XXX, Document Scope: Formatting Sample : 9701 (Excel) : (OR (AND )). Destination disabled. [[] ([1]/2])]: [. Please note the name of the job server used for your request and contact your system administrator to make sure the specified destination is enabled. (FWB 00031) (FBE60013)
  suggests that the Email destination plugin is not configured correctly on the Publication Job Server, can you check that please.
  I hope this is a very helpful answer to you.
  Kind regards,
  John

• Unicast cluster - heartbeat message failure messages

  Using unicast messaging mode and i see following messages
  ####<Jul 9, 2010 12:46:56 AM PDT> <Info> <Cluster> <anaeur30> <WL10MP2-ServiceSTServer6> <[ACTIVE] ExecuteThread: '45'
  for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1278661616559> <BEA-000112> <Removing WL10M
  P2-ServiceSTServer1 jvmid:6806396782256322086S:anaeur10:[7033,7033,-1,-1,-1,-1,-1]:anaeur10:7033,anaeur10:7035,anaeur2
  0:7033,anaeur20:7035,anaeur30:7033,anaeur30:7035,anaeur50:7033,anaeur50:7035:WL10MP2-ServiceTier:WL10MP2-ServiceSTServ
  er1 from cluster view due to timeout.>
  ####<Jul 9, 2010 12:55:36 AM PDT> <Info> <Cluster> <anaeur30> <WL10MP2-ServiceSTServer6> <[ACTIVE] ExecuteThread: '34'
  for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1278662136552> <BEA-000112> <Removing WL10M
  P2-ServiceSTServer2 jvmid:-2694311272134716565S:anaeur10:[7035,7035,-1,-1,-1,-1,-1]:anaeur10:7033,anaeur10:7035,anaeur
  20:7033,anaeur20:7035,anaeur30:7033,anaeur30:7035,anaeur50:7033,anaeur50:7035:WL10MP2-ServiceTier:WL10MP2-ServiceSTSer
  ver2 from cluster view due to timeout.>
  During the same time frame, I see lost multicast messages on all the instances for a about 20 minutes. What could be the problem? Why am i seeing the multicast messages when using uncast? My config.xml has multicast related entries for each server but how will that be effective? is that an issue? we see servers dropping out frequently from cluster.
  000115> <Lost 1 multicast message(s).>
  ####<Jul 9, 2010 12:46:42 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278661602751> <BEA-000115> <Lost 1 multicast message(s).>
  ####<Jul 9, 2010 12:46:46 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278661606548> <BEA-000115> <Lost 2 multicast message(s).>
  ####<Jul 9, 2010 12:47:04 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278661624185> <BEA-000115> <Lost 2 multicast message(s).>
  ####<Jul 9, 2010 12:48:40 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278661720809> <BEA-000115> <Lost 2 multicast message(s).>
  ####<Jul 9, 2010 12:54:14 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278662054823> <BEA-000115> <Lost 2 multicast message(s).>
  ####<Jul 9, 2010 12:54:14 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278662054827> <BEA-000115> <Lost 1 multicast message(s).>
  ####<Jul 9, 2010 12:54:14 AM PDT> <Info> <Cluster> <anaeur10> <WL10MP2-ServiceSTServer2> <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1278662054827> <BEA-000115> <Lost 2 multicast message(s).>

  SJ,
  Thanks, that's perfect explanation i was looking for. We always create cluster from console and it could be that we used MULTICAST messaging mode in past hence the entries in config.xml. What made me to raise the question "will UNICAST or MULTICAST be used" is that when ever we experience a drop out server issue from cluster, i see the following message written into each managed server log. Ideally, the following should be written into log if the multicast messaging mode is in operation, right?
  <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1276490260768> <BEA-000115> <Lost 2 multicast message(s).>
  <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1276490260768> <BEA-000115> <Lost 2 multicast message(s).>
  <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1276490261355> <BEA-000115> <Lost 2 multicast message(s).>
  <weblogic.cluster.MessageReceiver> <<WLS Kernel>> <> <> <1276490261355> <BEA-000115> <Lost 2 multicast message(s).>
  The above message is not written all the time but only when server removed from cluster group. Please be inforemed that i have enable unicast debug mode. will unicast also writes messages as above when hearbeat message lost?
  To trace our issue further, i have to manually remove reference from config.xml and monitor for sometime. its still mystery why the clusters are dropping out. Sometimes, soon after cluster instances dropped out i can see the drop-out frequency as "Rarely" and after a week or so the members are regrouped with difference group leader. Are you aware of any issue with unicast messaging mode in WL10 MP2?
  Is it good idea of testing multicast?
  Thanks a lot for your time.
  -RR

• PKI Design / Migration - Questions

  Hello,
  Our organization currently uses a single-tier enterprise root CA for issuing certificates; We are growing and I would like redo this design in accordance with MS Best practice.  
  I just have a few questions:
  My original thought was to add an enterprise subordinate CA and decom the Enterprise root CA we currently have running but I am not sure if this possible or recommended as I am reading many articles stating that you should deploy a standalone root CA (offline)
  then create a enterprise subordinate CA for issuing certificates.  
  If this is the case how would I migrate servers / users over to use the new PKI infrastructure without causing service disruptions? 
  Thank You

  I just want to have some answers to give MGMT when they ask.
  Here's your own answer:
  ...and I would like redo this design
  in accordance with MS Best practice.  
  Brian gave you best practice.
  1 X standalone root CA (off line) – for security
  2 X issuing CA's - Enterprise subordinate CA:
  2X - for redundancy
  Enterprise – so that they use AD for certs, CRL, autoenrollment etc.
  I would also add that if you will not be revoking existing certs issued by the old CA, you may increase CRL publication interval on the old CA from default one day to 99 years. This basically leaves you with static CRL and static CDP web site (you don't
  need to publish CRL on the old CA each day).
  http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

• HTTP or LDAP for CRL

  Hello
  I am setting up a new PKI (in a LAB initially) an reading up on the subject.
  I see the default location for the CDP is in the Configuration partition in AD and therefore accessed via LDAP://......
  I also see other recommending using IIS/HTTP to publish the CRL, CPS
  I can see the advantage of publishing the CPS via HTTP (not sure how you would import a file e.g. text file containing the CPS into AD in any event)
  Question 1:
  But what are the main advantages/disadvantages of placing the CRL in an IIS site and therefore HTTP?
  Question 2:
  I can see how the AD integrated CA would publish updated CRL to AD as the CA is integrated (e.g. Sub issuing CA)
  If the CRL is published via IIS/HTTP will the CA be able to automatically update the CRL via HTTP PUT or something like that (and if so I assume the CA Server needs rights to the Site and underlying NTFS folder containing the sites files),
  or will I have to manually download the CRL from the CA and publish to the HTTP site manually (or via script)?
  Question 3:
  Can I have the CRL published to LDAP and HTTP at the same time, and therefore I assume I will have to update the CA in come where so when it issues certificates is states both location in the CDP information within the certificate?
  Any help most appreciated
  AAnotherUser__
  AAnotherUser__

  1) HTTP versus LDAP
  The advantages of HTTP over LDAP/AD:
  Easy anonymous access - you don't need an AD account or tweak your AD permissions, so you can serve validating apps on non-domain machines or on machines in other forests.
  No replication delays (if you can use a web server in the domain, see 2) and 3)).
  Can be used as 'external' and 'internal' URL, using split DNS or by publishing using a reverse proxy.
  If you use the same CA for 'external' and 'internal' certificates: You do not disclose information about the structure of your AD forest to external parties.
  One advantage of LDAP / AD might be the distributed structure that provides 'fail-over' - but you can use load-balanced web services with HTTP.
  2) Automation of publication to an HTTP URL
  You cannot use HTTP PUT unless you would write your own application for that - but you can simply share the directory the web server uses, give the CA machine account Write permissions, and add a UNC path to the list of CRL publication URLs (file:///\\webserver\share\%3%8%9.crl)
  Pre-requisite: The web server needs to be member of the same or a trusted Windows domain. Otherwise you would need a script that copies or FTPs the CRL.
  3) Point of time of CRL publication - LDAP vs. HTTP
  If you can use the UNC path as explained before both this path and the LDAP object would be populated with the new CRL at the same time. Otherwise (web server not in a trusted domain) you would need to run the publication script more often than the CRL is
  published so that there is not too much lag.
  Elke

• Certutil -crl problems (the directory name is invalid)

  Another problem for you fine experts to consider...2 tier PKI, offline Root 2008 R2, 1 Sub Ent CA in Domain1 (2008 R2) and 1 Sub Ent CA in Domain2 (2012 R2).
  SubCA 1 and 2 are configured pretty much identically, however when setting up SubCA 2 I am having issues running the Certutil -CRL command to publish the CRL.
  My CDP locations are configured as follows;
  65:c:\WIndows\System32\CertSrv\CertEnroll\%3%8%9.crl
  79:ldap://CN=%7%8,CN=CDP,CN=Public Key Services,CN=Services,%6%10
  6:http://pki.domain2/CertEnrolment/%3%8%9.crl
  65:file://\\pki.domain2\CertEnrolment\%3%8%9.crl
  I can confirm that the base CRL publishes correctly to the CertEnroll location and LDAP correctly. But it fails trying to publish to the HTTP/File location (which is the same path).
  I get the error:
  CertUtil: -CRL command FAILED: 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
  CertUtil: The directory name is invalid
  Also the Delta CRL fails on the CertEnroll default directory as well as the file/http path with error;
  Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: file://\\pki.domain\CertEnrolment\CANAME+.crl.
  Operation aborted 0x80004004 (-2147467260 E_ABORT)<o:p></o:p>
  I'm pretty certain it's not a permissions issue as I've added Everyone for NTFS/share permissions to test without any change. The install was done with an Enterprise
  Admin account but I'm doing all the testing now with a normal admin account (admin in the CA/server but not domain or enterprise admin).<o:p></o:p>
  <o:p></o:p>
  The File/HTTP location is on the CA itself (I know this is likely not best practise, but needs to be there in the short term) so not sure if the Windows firewall comes into play.
  Thanks!

  Hi driko,
  It's not a best practise to give Everyone NTFS/share permissions!
  What I suggest is you
  1. Create a dedicated folder f.e. "C:\Repository" on CA and share it only with permissions to specific account (see below)
  2. In CA publish CRLs to c:\WIndows\System32\CertSrv\CertEnroll\%3%8%9.crl
  only and create a task in task scheduler that will be running on the dedicated account and will copy c:\WIndows\System32\CertSrv\CertEnroll\*.crl
  to \\pki.domain2\Repozitory\*.crl 
  3. Make sure that account that is running this task on CA1 (Domain 1) has enough permissions for Repository share in Domain 2 (try running cmd as this user on
  CA1 and copy files manually to \\pki.domain2\Repository\)
  4. Map your http://pki.domain/CertEnrolment URL with IIS to physial C:\Repository\  folder path
  Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

• Name of .crl and .crt file missing from HTTP URL in certificate details

  Hello Everyone,
  I am in the process of building a 2-tier Windows Server 2012 R2 PKI. The CA name of both the offline standalone root CA and enterprise subordinate CA have spaces in it (we'll call the CA name, 'Test Lab Root CA' for point of reference).
  When I submitted the certificate request for the subordinate CA to the root CA and viewed the attributes/extensions of the pending request, I noticed the HTTP URL is missing the name of the .crt and .crl file.
  The AIA extension reads URL=http://test.domainname.com/pki/.crt
  in the issued certificate details.
  The CDP extension reads URL=http://test.domainname.com/pki/.crl
  in the issued certificate details.
  The AIA and CDP location HTTP URLs are configured as http://test.domainname.com/pki/<CertificateName>.crt and  http://test.domainname.com/pki/<CRLNameSuffix><DeltaCRLAllowed>.crl, respectively on the
  root CA. 
  The LDAP URL shows the .crt and .crl file name (with %20 replacing the spaces) perfectly fine. The LDAP URL is configured using variables as well. It's just the HTTP URL that is missing the name of the file altogether. 
  I have read about the issue where spaces are not being replaced with %20 in the URL on Windows Server 2012 and a hotfix is available for that issue. But this issue seems to be slightly different and I'm running Windows Server 2012 R2. I tried installing
  the hotfix to see if it would help, but the hotfix can't install because it doesn't apply to Server 2012 R2.
  I've been trying to find a technet discussion or blog article for a week to see if anyone has seen this and what the fix is, but I'm coming up empty. I only find talks about %20 not replacing the space in the name.
  Does anyone have any insight to my particular issue? I don't want to issue the subordinate CA certificate until I know the HTTP URL populates the CRL and CRT file name correctly. I can get around this by typing out the name of the file (with spaces and not
  %20... e.g. http://test.domainname.com/pki/Test Lab Root CA.crl) in the URL via the registry and the URL displays the name of the file (with %20 in the name) when I do another certificate request and check the attributes/extensions in the
  pending request. However, I prefer to avoid manually typing out the name of the file in the registry. I'd like to use the variables if at all possible. 
  Any help/guidance would be greatly appreciated.
  Thank you.

  On Fri, 27 Mar 2015 03:42:28 +0000, Brian Komar [MVP] wrote:
  You have totally messed up the URLs.
  If you run certutil -getreg ca\CRLPublicationURLs and certutil -getreg ca\CACertPublicationURLs, you will see that you do not have correct use of variables when compared to the settings that follow:
  The URLs should be set to the following for an offline CA:
  certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://test.domainname.com/pki/%%3%%8%%9.crl"
  *certutil -setreg CA\CACertPublicationURLs  "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://*test.domainname.com*/pki/%%1_%%3%%4.crt"*
  For an issuing CA, they should be set to:
  The URLs should be set to the following for an offline CA:*certutil -setreg CA\CRLPublicationURLs "65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://test.domainname.com/pki/%%3%%8%%9.crl"*
  *certutil -setreg CA\CACertPublicationURLs  "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://**test.domainname.com**/pki/%%1_%%3%%4.crt"*
  Just a clarification here, if you're running the above certutil commands at
  the command prompt you only need single % characters in the command line.
  The double % characters are only required if the commands are being run in
  a batch file.
  Paul Adare - FIM CM MVP

• Cluster stop and start

  Hi Experts ,
  Is it possbile to stop and start the Sun cluster as like VCS (hastop and hastart).
  Regards,
  R.Rajesh Kannan.

  So many questions!
  It depends what you're trying to achieve. Sun Cluster is only started and stopped when you boot/shutdown Solaris.
  However, may be you actually only want to be able to make changes to a service without Sun Cluster trying to restart it, etc. If that is the case, then you simply need to disable the monitoring on the service in question and then you can do what you like with the service and Sun Cluster won't react.
  A typical example would be for HA-Oracle. If you don't stop the monitoring and then have the DBA try and shutdown the database, they will find that Sun Cluster detected the 'failure' and restarted the service. However, disabling the monitoring will allow the DBA to shutdown Oracle manually, make their changes and bring it back up again. The monitoring can then be re-enabled on the database.
  Tim
  ---

• Clustered role 'Cluster Group' has exceeded its failover threshold.

  Hello.
  I’m hoping to get some help with a cluster issue I’m having using Windows Storage Server 2012.
  When the cluster is created my Cluster Core Resources are all happy and online.
  I can more the Cluster Name using “move Core Cluster Resources” between the two nodes without any problems.
  If I select ‘Simulate Failure’ on the IP Address resource, it works the first time
  If I do it again shortly after it fails and I get an Event ID 1254, 1205 and 1069.
  Event ID 1254
  Clustered role 'Cluster Group' has exceeded its failover threshold. 
  It has exhausted the configured number of failover attempts within the failover period of time allotted to it and will be left in a failed state. 
  No additional attempts will be made to bring the role online or fail it over to another node in the cluster. 
  Please check the events associated with the failure.  After the issues causing the failure are resolved the role can be brought online manually or the cluster may attempt to bring it online again after the restart delay period.
  Event ID 1205
  The Cluster service failed to bring clustered service or application 'Cluster Group' completely online or offline. One or more resources may be in a failed state. This may impact the availability of the clustered service or application.
  Event ID 1069
  Cluster resource 'Cluster IP Address' of type 'IP Address' in clustered role 'Cluster Group' failed.
  Based on the failure policies for the resource and role, the cluster service may try to bring the resource online on this node or move the group to another node of the cluster and then restart it. 
  Check the resource and group state using Failover Cluster Manager or the Get-ClusterResource Windows PowerShell cmdlet.
  Basically I’m trying to simulate a network failure to make sure the failover kicks in.
  If I click on it and ‘Bring Online’ it comes up fine.
  Where do I find this Threshold Policy and set it to initiate failover if the IP Address resources fails?
  Thank you in advance for your help.

  Hi,
  The failover threshold is the number of times the group can fail over within the number of hours specified by the failover period. For example, if a group failover threshold is set to "5" and its failover period to "3," the clustering software stops attempting
  to bring the group online and leaves the resources within the group in their current state. For example, if the IP Address resource is brought online but the Network Name resource fails, the group is left offline, but the IP Address resource is left online.
  To configure thresholds for a resource:
  Right-click the cluster resource and then select 'Propereties'
  Click 'Advanced'
  Select 'Do not restart' if the cluster service should not attempt to restart. Restart is the default
  If 'Restart' is selected:
  Affect the Group: uncheck to prevent a failure of the selected resource from causing the Server group to failover
  Threshold: number of times the cluster service will attempt to restart the resource, and period is the amount of time in seconds between retries
  Do not modify the 'LooksAlive' and 'IsAlive' settings
  Unless necessary, do not alter the 'Pending Timeout'. This is the amount of time the resource is either in the online or pending or offline pending states before the the cluster service puts it in either offline or failed state
  For more information please refer to following MS articles:
  Windows Failover Clustering Overview
  http://blogs.technet.com/b/rob/archive/2008/05/07/failover-clustering.aspx
  Tuning Failover Cluster Network Thresholds
  http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx
  Failover cluster (group) maximum failures limit
  http://blogs.msdn.com/b/arvindsh/archive/2012/03/09/failover-cluster-group-maximum-failures-limit.aspx
  Lawrence
  TechNet Community Support