Solved

CA Server Issue - CAS Crashed/RADIUS Errors

Posted on 2012-03-11
3
645 Views
Last Modified: 2012-03-13
Hi Guys

I've run into a bit of an issue, my CA server crashed (No backup!)  a while back and I thought there wouldn't be any issues, but a few days back the certificate on the PDC expired and now any user trying to connect to the wireless is unable too, due to the RADIUS. It seems that because the certificate expired the RADIUS server has stopped working.

Any idea what the best solution is to get the wireless working again?
Setting up another CA?
Setting up a self signed certificate (using IIS) for the RADIUS?
If I do not setup another CA will there be any further consequences? All servers have been popping up auto enrollment certificate errors.

Any feedback will be great. Thanks!
0
Comment
Question by:YOlanie_Visser
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 37706922
It's hard to rebuild a CA, especially if you didn't back it up properly.
A self signed cert does not offer the same solutions as a CA would and you'd probably get some issues because the CRL cannot be completed.

I'd suggest deleting the OLD CA information, and then rebuild your CA and you can then reissues your certs the "normal" way.

This is what you needed to do before the CA fell over.
http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx

These are the instructions you're looking for:
Basically, remove broken CA.
Install new CA.
Re-issue certs, your Servers should automatically enroll once the CA is present, so possibly only your RADIUS server may need a manual re-issue.

You should start with removing the decommissioned CA from your domain.
http://support.microsoft.com/kb/889250

Have a read about CA's and decide if you still don't need it.
http://www.kurtdillard.com/StudyGuides/70-640/6.html

How to install a CA
http://technet.microsoft.com/en-us/library/aa998956(v=exchg.65).aspx
0
 

Author Comment

by:YOlanie_Visser
ID: 37714191
dvt_localboy

I'm in the process of doing the cleanup, any idea how I will work around the RADIUS issue? Could I use a self signed cert just for the RADIUS? That would be the only reason why I would setup another CA,,,
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37714633
No a self signed certificate in the Radius server won't help you.
The simple reason: the Certificate Authority for that self signed certificate will not be found.

You also need to remember that the basis of PKI is that there is always an Authority that can verify a the validity of a certificate. Have a look at a valid certificate and check out the Certificate Path....it's needed for establishing if your Certificate is valid.
http://technet.microsoft.com/en-us/library/cc731853.aspx

Reasons for installing a CA
http://technet.microsoft.com/en-us/library/cc776679(v=ws.10).aspx

Additional reading that may interest you:
http://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx
http://technet.microsoft.com/en-us/library/cc772670(v=ws.10).aspx
http://www.trainsignal.com/blog/active-directory-certificate-services
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LAN set up in an MPLS Network Environment 6 51
Instant VM Recovery 4 73
Windows 2003 new patches 11 55
Connecting two servers 30 47
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now