Re: Subordinate Certificate Server - No templates?!
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/22/05
- Next message: manager: "Port security"
- Previous message: Tony Su: "Re: Subordinate Certificate Server - No templates?!"
- In reply to: Tony Su: "Re: Subordinate Certificate Server - No templates?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Jan 2005 02:05:38 -0600
Disregard the wins warning but the dns and kerberos warnings could
definitely cause problems with AD. Verify that the servers' time is correct
compared to the dc and check day/month/year/time zone/AM&PM. Kerberos only
allows for a five minute time skew before failing to authenticate using it.
If I remember correctly netdiag is telling you it can not find the domain
controller "machine.localdomain.local" perhaps. Use Ipconfig /all to verify
that it has the correct domain controller IP addresses listed as preferred
dns servers and try to ping them by IP address and fully qualified domain
name. The dns client caches negative queries so you may need to use ipconfig
/flushdns between tries and configuration changes. Nslookup can also be used
to see if the server shows and can use the correct dns server/domain
controller and use it to resolve domain names. If you use nslookup and do
not have reverse domain zone configured you will get an error message but
you still should be able to resolve names via the preferred dns servers. The
following KB link shows how to use nslookup to verify that the domain
computer can resolve the _srv records of a domain controller.
http://support.microsoft.com/?kbid=241515
You also should run netdiag on the domain controller that is first in the
list of preferred dns servers for your new CA server. If problems are found
you can use netdiag /fix to attempt to reregister the _srv records and then
restart the netlogon service. Also look in Event Viewer for any pertinent
clues on the new CA server. Certificates are not related to kerberos tickets
and when you promoted the server to the new CA it should have been issued a
new certificate as a CA not to replace any existing certificates but to add
a CA certificate to the local computer store as shown using the mmc
certificates snapin for computer certificates. The kerberos error is
probably related to a time issue or failure to locate a domain controller
that also would be a KDC - kerberos distribution center. An assigned ipsec
policy can also cause problems with contacting domain controllers. The two
ipsec mmc snapins will tell you is any ipsec policies are applied to the
W2003 server. I am pulling the plug for today shortly. Hope you make some
progress. You have isolated the problem which is a great start. --- Steve
"Tony Su" <TonySu@discussions.microsoft.com> wrote in message
news:2E92BBC5-1818-4624-B43A-3576223DE807@microsoft.com...
> Hello Steve,
> Thx for the suggestions... maybe some possibilities uncovered.
>
> DCDiag ran with flying colors. No problems.
> Opened the Services Node and found a long list of Certificate templates
> stored in the AD.
> Ran NetDiag on the Win2K3 machine with the Cert Server and revealed the
> following:
> - Curiously, after a test has "passed" it can be followed with a warning
> or
> failure which seems to contradict the test unless "passed" does not
> indicate
> the result, only that the test ran.
> - NetDiag seems to believe WINS should be expected. I'm ignoring these
> because I'm not implementing WINS.
> - There is a DNS warning that "Cannot find a primary authoritative DNS
> server for the name "machine.localdomain.local" may not be registered in
> DNS.
> That's curious because it seems to resolve all network object names fine.
> Also, I checked and the machine is registered in the Domain's DNS.
> - Kerberos test failed. That's interesting because it probably originally
> had a ticket from the original Domain CA but since a new CA was installed
> on
> the machine I believe the certificate was replaced with a new one issued
> locally. IIRC I'm trying to enforce Kerberos authentication within the LAN
> although
>
> Am weighing these results but if you have an opinion on those I'd be happy
> to listen...
>
> Tony
>
>
> "Steven L Umbach" wrote:
>
>> The certificate templates are stored as AD objects and shown in AD Sites
>> and
>> Services when the view option is selected to show services node. That is
>> why
>> you are experiencing problems if the new CA can not access them in CA
>> which
>> is where it must. It would not hurt to double check things with netdiag
>> to
>> double check that the new CA can find the domain controllers and it's
>> computer account is in good standing in the domain. Another thing to
>> check
>> is that the new CA is a member of the Cert publishers group in AD Users
>> and
>> Computers. If you install the Windows 2003 RK tools [free download] on
>> the
>> new CA you can then use mmc and there will be a snapin for "Enterprise
>> PKI"
>> which may help in seeing what is going on. --- Steve
>>
>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/pkiview.asp
>> http://tinyurl.com/69gfb --- same link as above, shorter.
>>
>> "Tony Su" <TonySu@discussions.microsoft.com> wrote in message
>> news:804A6B0F-10BC-4F50-933F-DC23DBB68CA6@microsoft.com...
>> > Hello Steven, thx for posting -
>> > I guess I was really looking for some assurance from someone that this
>> > isn't
>> > an AD schema problem.
>> >
>> > Also, I'm not sure whether a Win2K3 AD/Enterprise Certificate Server
>> > must
>> > store the templates in the AD or if it should be able to view/utilize
>> > templates stored locally.
>> >
>> > I don't suspect an AD or DNS networking issue, there are good network
>> > connections and the Win2K machine was registered and functioning
>> > perfectly
>> > in
>> > the Win2K AD Domain for a long time beforehand.
>> >
>> > Tony
>> >
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> "During installation, the Win2K3 Certificate Server install complained
>> >> about
>> >> being unable to connect to the Active Directory". That is probably the
>> >> crux
>> >> of the problem. Look in Event Viewer to see if any pertinent events
>> >> are
>> >> recorded. Not being able to contact AD is usually a network
>> >> connectivity
>> >> or
>> >> a dns name resolution problem with the main culprit being the problem
>> >> computer is not pointing only to AD domain controllers running dns
>> >> with
>> >> the
>> >> domain zone. See the link below on AD dns to make sure that the domain
>> >> is
>> >> configured correctly. The support tools netdiag and dcdiag [domain
>> >> controllers only] can be very helpful in troubleshooting Active
>> >> Directory/dns problems. --- Steve
>> >>
>> >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --
>> >> applies
>> >> to Windows 2003 also
>> >>
>> >> "Tony Su" <TonySu@discussions.microsoft.com> wrote in message
>> >> news:45EA062E-0BFB-4807-972A-75E3AB9259B7@microsoft.com...
>> >> > Installing a Win2K3 Certificate Server as a subordinate to a Win2K
>> >> > Certificate Server in a Win2K AD Domain with Win2K3 AD extensions.
>> >> > The
>> >> > Certificate Hierarchy is Enterprise AD.
>> >> >
>> >> > During installation, the Win2K3 Certificate Server install
>> >> > complained
>> >> > about
>> >> > being unable to connect to the Active Directory.
>> >> >
>> >> > Now, after install when I run the online enrollment as a Domain
>> >> > Administrator there is an error
>> >> >
>> >> > No certificate templates can be found. You do not have permission to
>> >> > request
>> >> > a certificate from the CA, or an error occurred accessing the Active
>> >> > Directory.
>> >> >
>> >> > As expected the templates were installed on the Win2K3 Server
>> >> > locally
>> >> > and
>> >> > viewable using the Certificate Authority MMC.
>> >> >
>> >> > - Is there a known problem configuring a Win2K3 Certificate Server
>> >> > as a
>> >> > subordinate to a Win2K Server (there doesn't appear to be).
>> >> > - Is there a known problem storing Win2K3 Certificate Server data in
>> >> > a
>> >> > Win2K
>> >> > AD?
>> >> > - Should a Win2K3 Certificate Server be able to read its local
>> >> > templates
>> >> > or
>> >> > should those templates somehow have been installed into the AD?
>> >> >
>> >> > TIA,
>> >> > --
>> >> > Tony Su
>> >> > www.su-networking.com
>> >> > ISA
>> >> > SBS
>> >> > Enterprise Mobile Solutions Architect
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: manager: "Port security"
- Previous message: Tony Su: "Re: Subordinate Certificate Server - No templates?!"
- In reply to: Tony Su: "Re: Subordinate Certificate Server - No templates?!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
