Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13608
  • Last Modified:

Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate

Hi
I am New to RMS, I had install WIndows Server 2008 64Bit that host AD DNS, and VMWARE that is running a Server 2008 that will run RMS Server (its a lab)
after the installation of RMS in the VMWARE Machine finished I got this log
Active Directory Rights Management Services: Installation succeeded with errors
   Error: Attempt to configure Active Directory Rights Management Server failed.  The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.    at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy()
   at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName)
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll()
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data)
   at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted)
   at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
Remove and re-install AD RMS to attempt provisioning again.



After Openning RMS I get the Following Error
AD RMS Administrator Server Fail Because the value of "AdminLocalConnectionPoint" Under registry Key
"HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DRMS\2.0" was invalid




Log Name:      Application
Source:        Active Directory Rights Management Services
Date:          10/9/2008 9:21:00 AM
Event ID:      204
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      rms.farisnt.local
Description:
Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy.
.
.
.

Microsoft.RightsManagementServices.DecideCertificateHierarchyFailException
        Message: The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.
  + System.Net.WebException
  +         Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
      + System.Security.Authentication.AuthenticationException
      +         Message: The remote certificate is invalid according to the validation procedure.
</Data>
  </EventData>
</Event>

what can I do to fix this
THanks
1
Housammuhanna
Asked:
Housammuhanna
  • 6
  • 3
1 Solution
 
HousammuhannaAuthor Commented:

NOTE That there is no CA installed in the lab
 also I try both HTTPS and HTTP while installing the RMS but all return the same result
0
 
HousammuhannaAuthor Commented:
ATTENTION, I had ask about 5 Q Non of them has been answer, whats up expert
0
 
KentFireCommented:
I am also experiencing this problem and would appreciate an answer!!    How can you delete a SCP when the server no longer exists?  Can it be manually removed somehow?
Thanks
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
KentFireCommented:
Hi Vee_Mod,
Thanks for posting a response.  In the meantime I have managed to find a solution to my question and will explain it below for future reference:
I wanted to manually delete the SCP as everytime I tried to reinstall RMS it complained that a SCP already existed (and also gave the certificate hierarchy message).  I found this blog http://blogs.msdn.com/rms/ which provided the answer.
Basically I had to download the RMS admin toolkit onto my PC and then run the following command to delete the SCP from AD:
ADScpRegister unregisterscp <URL to unregister>
Prior to using the command I also used ldp to connect to AD so I could double-check the url and also to check that it was successfully deleted.  Once the command was run I was able to reinstall RMS with no problems.
Hope this helps,
Thanks
0
 
HousammuhannaAuthor Commented:
HI all and thanks
I wont be able to answer before 3 days as I am away from the server, I will for sure test this when I come back

THanks

0
 
HousammuhannaAuthor Commented:
OK
I am back again
THanks for your time
I will try it today and post the reply again
I am very sory for th Delay
0
 
HousammuhannaAuthor Commented:
HIIIIIIIIIIIIIIIIIIIIIIII
THANKS KentFire for your Reply
I try it and it work fine, I dont know if that was the Fix
I ran the command
C:\>ADScpRegister.exe unregisterscp https://main.farisnt.local:443/_wmcs/certificationasdasdasd
Is this sentence correct
I had remove the RMS and reinstall it and now its working fine,
I use HTTP while installing, I dont know if this problem will appear if I remove the RMS and Reinstall it using HTTPS
I Will offer the point to KentFire and then later will try to remove it and install it using HTTPS
Thanks
0
 
HousammuhannaAuthor Commented:
Thanks , I will later try it also using HTTPS
0
 
KentFireCommented:
Housammuhanna,
Many thanks for the point and glad you got it sorted in the end.
Cheers.
0
 
NetwaysCommented:
Hi,

Where should i run that command
ADScpRegister unregisterscp <URL to unregister>
i have same problem, and when everytime i run this command, i'm given a message indicating that ADScpRegister is not recognized as an internal or external command.

Please advise,,,
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now