Hyper-V / "Could not initialize machine remoting system" "Could not find a suitable certificate"

Hello, looking for some assistance on an error we are receiving on an Windows Server 2008 R2 Hyper-V installation.  This is a full server installation, not a core install.  We have one VM and it will not start, the error is "Could not initialize machine remoting system. Error: Element not found (0x80070490)"  It is then following by the error "Could not find a usable certificate.  Error Element not found (0x80070490)",  See the attached screenshot for the full error.

So far I have done quite a bit of troubleshooting that has included:
1. Restarting the Hyper-V services.
2. Restarting the server.
3. Creating a new VM that will not start.  This tells me it is a Hyper-V issue and not particular to the VM that won't start.
4. Removed all local FQDN certificates from all certificate stores.
5. Imported the local FQDN self generated certificate into the Hyper-V vhdsvc\Personal certificate store.
6. Uninstalled the Hyper-V role, rebooted and re-installed the Hyper-V role and rebooted.

The only information I can find on this error says the certificate is supposed to be generated once the hyper-v services start but that doesn't fix the issue.  

Any help would be appreciated.
HyperVError.png
LVL 1
htsupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
Here is a microsoft KB dealing with this issue:
http://support.microsoft.com/kb/971264


The error is specific to "Element not found"
It seems it is complaining the certificate is not found/present.


Some additional troubleshooting:
http://cloudtidings.com/2010/11/19/how-to-fix-the-unspecified-error-0x80004005-could-not-find-a-usable-certificate-windows-2008r2/
0
htsupportAuthor Commented:
Unfortunately that hotfix will not apply because this is Server 2008 R2 and not Server 2008.

The additional troubleshooting link references the same Hotfix that will not install.  I tried to use the Powershell script they provided but am unable to get it to work.  I downloaded the makecert.exe utility and the ps1 script into the same directory, set the execution policy and the script runs but I am getting this error:

"PS C:\Users\Administrator\downloads\makecert_5_131_3790_0> .\makecert.ps1
Host name found: xxxxx (I blanked this out)
Creating a new certificate using makecert.exe
Error: Can't create the key of the subject ('932feaab-8098-41da-a536-2f4eb078b4d3')
Failed
Unexpected Exception!

At C:\Users\Administrator\downloads\makecert_5_131_3790_0\makecert.ps1:44 char:14+         throw <<<<  "Certificate Not
Found error. Check if makecert.exe is successful or not"

At line:1 char:15+ .\makecert.ps1 <<<<

System.Management.Automation.RuntimeException: Certificate Not Found error. Check if makecert.exe is successful or not
0
becraigCommented:
Let me take a quick look at the script and get back to you, also are you running this as administrator  ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

htsupportAuthor Commented:
Yes, running the script as Administrator.  Also verified that makecert.exe is in the same directory as the script.  Thanks!
0
becraigCommented:
ok so run this first, so we can create the cert:

I will look at pulling the parts of the script to make the other pieces work, we just need to figure out why the cert portion failed.

Run the below from an elevated powershell window
$hostname = “$((gwmi win32_computersystem).dnshostname).$((gwmi win32_computersystem).domain)”
$hostname

Copy and paste the value returned from hostname

and replace hostname in the command below:
makecert -r -pe -n "CN=<hostname>" -sky exchange -ss my  -a sha1 -eku 1.3.6.1.5.5.7.3.1 c:\<hostname>.cer

Let me know once this is one.

We will move on to the next step.
0
htsupportAuthor Commented:
The mystery deepens.  

When running that command as administrator I get this error:
"PS C:\users\Administrator\Downloads\makecert_5_131_3790_0> .\makecert.exe -r -pe -n "CN=imsserver.aacpc.local" -sky exchange -ss my  -a sha1 -eku 1.3.6.1.5.5.7.3.1 c:\imsserver.aacpc.local.cer
Error: Can't create the key of the subject ('5cfb52ab-5016-4f64-9362-e95642006c70')
Failed"

IIS is also installed for this server and if I go to Server Certificates nothing is listed.  I tried to create a self signed certificate in IIS and receive a "keyset does not exist" error.  I then looked at the existing self signed certificate using the Certificates mmc and the self signed machine certificate is there but doesn't have a "You have a private key that corresponds to this certificate",  I then checked the MachineKeys directory and verified permissions are correct.

I'm now wondering if the reason I'm having the Hyper-V issues is because I don't have a private key corresponding to the self signed certificate.  Not sure if this would be related to permissions or something else.
0
becraigCommented:
Make sure the account you are using is a member of the LOCAL administrators group.

This seems like an inability to create a key linked to the machine account.
0
htsupportAuthor Commented:
Yes, I agree.  The account I am using is the Domain Admin Administrator account.  I also ran everything using the "Run As Administrator" option.
0
becraigCommented:
Can you try removing the account from the local administrators group then re-adding and rerunning the makecert command ?
0
htsupportAuthor Commented:
Unfortunately this is a single server solution which runs as a domain controller as well so there is no local administrators group.
0
becraigCommented:
Ok it would still have a local admin group, please follow the steps below:
compmgmt.msc
expand local users and groups
double click administrators in the left pane
Click Add and add the user you are logged in as.

If your user is already there, remove and re-add and try again.
0
htsupportAuthor Commented:
Since this computer is a domain controller there is no Local Users and Groups.  See the attached screenshot from Computer Management.,

Unfortunately this problem has gotten worse, not better.  The self signed certificate for the server does not have a corresponding private key.  I used certutil to try and restore the private key but it failed.  I was hoping I could generate a new self signed certificate but every tool I try to do that has failed.  This includes, MakeCert.exe, SelfSSL.exe, IIS Self Signed certificate wizard and another tool from MIcrosoft called SSL Diag.  I don't care about the broken certificate I'd just like to be able to generate a new one
Compmgmt.png
0
becraigCommented:
makecert -r -pe -n "CN=computer.domain.local" -sky exchange -ss my  c:\certificate.cer

Try that and see if it works.
0
htsupportAuthor Commented:
Here's the error I'm getting when running the command.  I tried appending a '2' to the computer name just to see if it was a problem with the name for some reason. I also downloaded the latest version of makecert.exe from the Windows SDK.

D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -r -pe -n "CN=server.company.local" -sky exchange -ss my  c:\certificate.cer
Error: Can't create the key of the subject ('f3dd8937-604e-4c74-bbfa-6340486d32e
4')
Failed

D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -r -pe -n "CN=server2.company.local" -sky exchange -ss my  c:\certificate.cer
Error: Can't create the key of the subject ('e03eb56d-a014-4287-9c57-9cd62e372b7
c')
Failed
0
becraigCommented:
This is the same thing we are experiencing throughout (admin access issues).

The cmd window has to be run as administrator, however you can change the command to create in current user context, or grant your account full permissions on C:\Windows\System32\Microsoft\Crypto\RSA and C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys


Then run the command again.
0
htsupportAuthor Commented:
Yes, it certainly does seem like permission issues when creating the certificate.  I have run the cmd window in the user context (administrator) and also by right clicking and select "Run as administrator".  I also checked the MachineKeys directory once more and set permissions to "Include inheritable permissions from this object's parent" and also ran a "replace all child object permissions with inheritable permissions from this object".  The security on the MachineKeys directory is: SYSTEM (Full Control), Administrators (Full Control), Users (Read and Execute), Users (Special) and CREATIVE OWNER (Special).  The contents of C:\Windows\System32\Microsoft\Crypto\RSA are empty.  And the contents of C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys has 15 files.

I also created a second account, granted it domain admin access and ran the MakeCert command and received the same error.
0
becraigCommented:
makecert -r -pe -n -sr CurrentUser "CN=computer.domain.local" -sky exchange -ss my  c:\certificate.cer


See if this works.
0
htsupportAuthor Commented:
Here's what i get when running that command:

D:\Program Files\Microsoft SDKs\Windows\v7.1\Bin>makecert -r -pe -n -sr CurrentUser "CN=server.domain.local" -sky exchange -ss my  c:\certificate.cer
Error: Too many parameters
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
 -sk  <keyName>      Subject's key container name; To be created if not present
 -pe                 Mark generated private key as exportable
 -ss  <store>        Subject's certificate store name that stores the output
                     certificate
 -sr  <location>     Subject's certificate store location.
                        <CurrentUser|LocalMachine>.  Default to 'CurrentUser'
 -#   <number>       Serial Number from 1 to 2^31-1.  Default to be unique
 -$   <authority>    The signing authority of the certificate
                        <individual|commercial>
 -n   <X509name>     Certificate subject X500 name (eg: CN=Fred Dews)
 -?                  Return a list of basic options
 -!                  Return a list of extended options
0
becraigCommented:
sorry flag in the wrong place:
makecert -r -pe -sr CurrentUser -n "CN=computer.domain.local" -sky exchange -ss my  c:\certificate.cer
0
htsupportAuthor Commented:
To update this, we have Microsoft PSS working on the certificate issue.  For the last couple days they have been attempting to use the makecert command to generate a new certificate.  They are having issues getting the command to run.
0
becraigCommented:
Did you ever make any progress on this with Microsoft  ?

I would really love to know what they came back with.
0
htsupportAuthor Commented:
Unfortunately not.  Microsoft worked on this issue for about 2 weeks and did many of the same things we had already tried and that you had suggested.  This included using makecert to create a certificate on the local machine and then trying to import an existing certificate that they created on a separate machine.  They also tried various other troubleshooting steps and attempted to recreate the issue in their lab environment.  The last thing they wanted us to try was to do a repair of the OS.  We decided to purchase a new server and move over the VM's to it instead of doing the repair do to the risk involved with running a repair on the OS.  This server had a VM running on it but the host OS that had the Hyper-V role installed also has several programs directly installed including a medical EMR application.    Thanks for your help in trying to resolve the issue though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
htsupportAuthor Commented:
Solution was to purchase a new server and migrate the VM to it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.