Tim Haslett
asked on
Certificate Authority Issues
Hi All,
I discovered issues with our AD domain's CA not having any Templates available. When I view the Certificate Templates folder in the CA snap-in, it is empty. Attempting to obtain a new or renewal cert on a domain machine results in no templates available. Same with the CA web page. Templates do appear in ADSS under Public Key Services\Cert Templates. When attempting to run New > Certificate Template to Issue, no matter which template I choose, it fails, saying that "the CA service is not running or there are replication delays" with an error message of "0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)". I have verified no replication errors on the DCs.
I migrated our Enterprise CA about a year and a half ago from a 2008 R2 DC to a 2012 R2 dedicated machine, both of which are VMs. After migration, I disabled ADCS on the old DC. The DC that hosted the CA previously was demoted on about 12/12/2016. If I view the Issued Certs, the last issued date was 12/9/2016. The last Failed Request was 12/10/2016.
I have not found any references to the old CA anywhere in ADSS. I have made sure that the objects under Public Key Services\AIA, \CDP\CA, \Certificate Authorities, \Enrollment Services, and \KRA all have the correct server name for the dNSHostName attribute (attribute does not exist in KRA), and made sure that the CA machine has Full Control permissions to each. Oddly, after adding the CA machine under Security, the "CA$" object shows up in the ACL with a user icon, not a computer icon.
The Enterprise PKI snap-in shows "An Enterprise CA cannot be located. Verify that an Enterprise CA exists in your forest and is listed in the Enrollment Services container on you domain controller". This snap-in worked after migration. The CA is listed in Enrollment Services. I have restarted ADCS many times after making changes.
Also, the computer cert on the CA machine expired last August and, of course, I cannot renew it. I attempted to back up everything so I could uninstall/reinstall ADCS, but when I attempt to backup the templates, I get a faulire message of "CertUtil: -CATemplates command FAILED: 0x80070490 (WIN32: ERROR_NOT_FOUND) / CertUtil: Element not found".
Any ideas or directions would be greatly appreciated!
-tim
I discovered issues with our AD domain's CA not having any Templates available. When I view the Certificate Templates folder in the CA snap-in, it is empty. Attempting to obtain a new or renewal cert on a domain machine results in no templates available. Same with the CA web page. Templates do appear in ADSS under Public Key Services\Cert Templates. When attempting to run New > Certificate Template to Issue, no matter which template I choose, it fails, saying that "the CA service is not running or there are replication delays" with an error message of "0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)". I have verified no replication errors on the DCs.
I migrated our Enterprise CA about a year and a half ago from a 2008 R2 DC to a 2012 R2 dedicated machine, both of which are VMs. After migration, I disabled ADCS on the old DC. The DC that hosted the CA previously was demoted on about 12/12/2016. If I view the Issued Certs, the last issued date was 12/9/2016. The last Failed Request was 12/10/2016.
I have not found any references to the old CA anywhere in ADSS. I have made sure that the objects under Public Key Services\AIA, \CDP\CA, \Certificate Authorities, \Enrollment Services, and \KRA all have the correct server name for the dNSHostName attribute (attribute does not exist in KRA), and made sure that the CA machine has Full Control permissions to each. Oddly, after adding the CA machine under Security, the "CA$" object shows up in the ACL with a user icon, not a computer icon.
The Enterprise PKI snap-in shows "An Enterprise CA cannot be located. Verify that an Enterprise CA exists in your forest and is listed in the Enrollment Services container on you domain controller". This snap-in worked after migration. The CA is listed in Enrollment Services. I have restarted ADCS many times after making changes.
Also, the computer cert on the CA machine expired last August and, of course, I cannot renew it. I attempted to back up everything so I could uninstall/reinstall ADCS, but when I attempt to backup the templates, I get a faulire message of "CertUtil: -CATemplates command FAILED: 0x80070490 (WIN32: ERROR_NOT_FOUND) / CertUtil: Element not found".
Any ideas or directions would be greatly appreciated!
-tim
Craig Beck
How bad would it be if you were to uninstall/reinstall the CA?
ASKER
Hi Craig,
Truthfully, I don't know. I don't think that it will be too bad, as we haven't really had any issues since the certs stopped issuing/renewing in December. We haven't utilized the CA a whole lot yet. I was just starting a project to get certs onto the devices that can benefit from them when I discovered the issue.
Since I can't back up the templates that are supposed to be available, I will lose those and have to re-issue. Will the templates that show up when I view the Cert Templates snap-in on the DC be lost when ADCS is uninstalled from the CA? We do have a few custom certs that were duplicated from the existing ones.
I am now wondering if I gain anything by bringing a new CA machine online and install ADCS on there instead of uninstalling/reinstalling the existing CA machine. Can I have two root CA servers at one time? Can I make the existing one offline and a new one the issuing CA, then reverse the roles, then remove ADCS from the broken one, and then make the new one the root/issuing CA?
Thanks for your help!
Truthfully, I don't know. I don't think that it will be too bad, as we haven't really had any issues since the certs stopped issuing/renewing in December. We haven't utilized the CA a whole lot yet. I was just starting a project to get certs onto the devices that can benefit from them when I discovered the issue.
Since I can't back up the templates that are supposed to be available, I will lose those and have to re-issue. Will the templates that show up when I view the Cert Templates snap-in on the DC be lost when ADCS is uninstalled from the CA? We do have a few custom certs that were duplicated from the existing ones.
I am now wondering if I gain anything by bringing a new CA machine online and install ADCS on there instead of uninstalling/reinstalling the existing CA machine. Can I have two root CA servers at one time? Can I make the existing one offline and a new one the issuing CA, then reverse the roles, then remove ADCS from the broken one, and then make the new one the root/issuing CA?
Thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, thanks Craig. I am going to go for it. At this point, we only need one root CA, so it shouldn't be too bad.
Wish me luck! I will let you know how it goes.
Wish me luck! I will let you know how it goes.
ASKER
Well, I reinstalled ADCS and I can now successfully request certs from domain computers. However, the \certsrv page is not working. I get a "500 - Internal server error" from the page. At first, I was getting a 404 error and found that the Virtual Directory did not exist, so I created it to point to C:\Windows\System32\CertSr
The IIS logs show "GET /certsrv/ |5|ASP_0131|Disallowed_Par
I am not intimately familiar with IIS, so I am not sure where to go from here. Are there more required VDs, or does something else need to be configured for this?
IIS is version 8.5. The installed Role Services are CA, CA Web Enrollment, Cert Enrollment Web Service, Cert Enrollment Policy Web Service. Each of these were uninstalled/reinstalled along with ADCS.
Any Ideas here?
The IIS logs show "GET /certsrv/ |5|ASP_0131|Disallowed_Par
I am not intimately familiar with IIS, so I am not sure where to go from here. Are there more required VDs, or does something else need to be configured for this?
IIS is version 8.5. The installed Role Services are CA, CA Web Enrollment, Cert Enrollment Web Service, Cert Enrollment Policy Web Service. Each of these were uninstalled/reinstalled along with ADCS.
Any Ideas here?
ASKER
Never mind, I got it working. Turns out I still had to complete the post-install configuration. I had not noticed the notification icon in Server Manager. All is good now, thank you Craig!