Solved

Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate

Posted on 2008-10-10
14
13,186 Views
1 Endorsement
Last Modified: 2012-05-05
Hi
I am New to RMS, I had install WIndows Server 2008 64Bit that host AD DNS, and VMWARE that is running a Server 2008 that will run RMS Server (its a lab)
after the installation of RMS in the VMWARE Machine finished I got this log
Active Directory Rights Management Services: Installation succeeded with errors
   Error: Attempt to configure Active Directory Rights Management Server failed.  The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.    at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy()
   at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName)
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll()
   at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision()
   at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data)
   at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted)
   at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
Remove and re-install AD RMS to attempt provisioning again.



After Openning RMS I get the Following Error
AD RMS Administrator Server Fail Because the value of "AdminLocalConnectionPoint" Under registry Key
"HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DRMS\2.0" was invalid




Log Name:      Application
Source:        Active Directory Rights Management Services
Date:          10/9/2008 9:21:00 AM
Event ID:      204
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      rms.farisnt.local
Description:
Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy.
.
.
.

Microsoft.RightsManagementServices.DecideCertificateHierarchyFailException
        Message: The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again.
  + System.Net.WebException
  +         Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
      + System.Security.Authentication.AuthenticationException
      +         Message: The remote certificate is invalid according to the validation procedure.
</Data>
  </EventData>
</Event>

what can I do to fix this
THanks
1
Comment
Question by:Housammuhanna
  • 6
  • 3
14 Comments
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22686311

NOTE That there is no CA installed in the lab
 also I try both HTTPS and HTTP while installing the RMS but all return the same result
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22706325
ATTENTION, I had ask about 5 Q Non of them has been answer, whats up expert
0
 
LVL 1

Expert Comment

by:KentFire
ID: 22710192
I am also experiencing this problem and would appreciate an answer!!    How can you delete a SCP when the server no longer exists?  Can it be manually removed somehow?
Thanks
0
 
LVL 1

Accepted Solution

by:
KentFire earned 500 total points
ID: 22740772
Hi Vee_Mod,
Thanks for posting a response.  In the meantime I have managed to find a solution to my question and will explain it below for future reference:
I wanted to manually delete the SCP as everytime I tried to reinstall RMS it complained that a SCP already existed (and also gave the certificate hierarchy message).  I found this blog http://blogs.msdn.com/rms/ which provided the answer.
Basically I had to download the RMS admin toolkit onto my PC and then run the following command to delete the SCP from AD:
ADScpRegister unregisterscp <URL to unregister>
Prior to using the command I also used ldp to connect to AD so I could double-check the url and also to check that it was successfully deleted.  Once the command was run I was able to reinstall RMS with no problems.
Hope this helps,
Thanks
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22744173
HI all and thanks
I wont be able to answer before 3 days as I am away from the server, I will for sure test this when I come back

THanks

0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 9

Author Comment

by:Housammuhanna
ID: 22780437
OK
I am back again
THanks for your time
I will try it today and post the reply again
I am very sory for th Delay
0
 
LVL 9

Author Comment

by:Housammuhanna
ID: 22788696
HIIIIIIIIIIIIIIIIIIIIIIII
THANKS KentFire for your Reply
I try it and it work fine, I dont know if that was the Fix
I ran the command
C:\>ADScpRegister.exe unregisterscp https://main.farisnt.local:443/_wmcs/certificationasdasdasd
Is this sentence correct
I had remove the RMS and reinstall it and now its working fine,
I use HTTP while installing, I dont know if this problem will appear if I remove the RMS and Reinstall it using HTTPS
I Will offer the point to KentFire and then later will try to remove it and install it using HTTPS
Thanks
0
 
LVL 9

Author Closing Comment

by:Housammuhanna
ID: 31504990
Thanks , I will later try it also using HTTPS
0
 
LVL 1

Expert Comment

by:KentFire
ID: 22874768
Housammuhanna,
Many thanks for the point and glad you got it sorted in the end.
Cheers.
0
 

Expert Comment

by:Netways
ID: 26094180
Hi,

Where should i run that command
ADScpRegister unregisterscp <URL to unregister>
i have same problem, and when everytime i run this command, i'm given a message indicating that ADScpRegister is not recognized as an internal or external command.

Please advise,,,
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now