AD CS Configuration.

We have a Server 2012 R2 Standard running as a DC in a small office of about 8 PC running Windows 7 pro. I needed to set up an SSTP VPN service but found that I could not obtain the self signed certificate required for the client PC. Further investigation found that the ADCS Configuration is not complete and cannot be completed.

Visiting the Server Manager and looking at a flagged Notification I see that there is a Post-deployment Configuration notice to 'Configure Active Directory Certificate Services on the destination server' If I start this process I'm presented with a credentials page which is completed just fine so I click Next. Then Role Services has 'Certification Authority' is the only Role selected from the 6 potential Roles available - the remaining 5 can't be ticked they appear greyed out and I can't untick 'Certification Authority' either. The only option I have is to click Previous or Cancel which will not help me to complete the post process.

How can I break out of this cycle whilst keeping the domain active. I'm working remotely from the site through a VNC service.

Can I remove the ADCS Role safely or will this impact the existing client logins etc. I'm assuming it will but not 100% sure.

I have also noticed that the CertSrv site under the Default IIS webpage is not listed. I'm sure this was there not too long ago but again can't be sure. NB This accounts for being unable to access CertSrv on this server either locally or externally.

Some help in at least cleaning this position up would be welcomed.

TrevorWhiteIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:

When you select the 'Add roles' from server manager, you will get only the option for adding the roles, this is the reason why you are unable to untick. If you select remove roles and feature then you will get an option for untick. what i believe in your comment is that your ADCS role would have partially installed but the configuration of CA wouldn't complete. Complete the post installation by selecting existing server key which will then bring services and virtual directories in IIS.

Once you done that, your CA will approve the self signed certificates.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DrDave242Senior Support EngineerCommented:
Can I remove the ADCS Role safely or will this impact the existing client logins etc.

It sounds like the AD CS role has been installed but never configured, since you get the "Configuration required" notification in Server Manager. If this is the case, removing the role should have no adverse effect on anything.
TrevorWhiteIT ConsultantAuthor Commented:
Hi Radhakrishnan and DrDave
Thanks for taking time to cover this and my sincere apologies fro not taking quick enough time to respond.
We do still have the issue but have been diverted to another problem - elsewhere.

I'm aware that adding and removing roles are two separate operations.
I haven't progressed to removing the role as I was uncertain if there were any dependencies (on what ever is installed)
The thing is this server has been installed (by me) for some years, but a third party has been tampering (Customer gave an application engineer the password) So I'm certain this was all setup and functioning about 2 months ago. So because of this I'm uncertain if I can remove the role (particularly remotely) with safety.

If this can be confirmed, I understand the recommended route is to remove and then reinstall the ADCA role - will this reinstate the CertSrv site in IIS ???

I'll keep a closer eye on this thread -  ;-)
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

DrDave242Senior Support EngineerCommented:
If this can be confirmed, I understand the recommended route is to remove and then reinstall the ADCA role - will this reinstate the CertSrv site in IIS ???

The CertSrv site is created by the Certification Authority Web Enrollment role service, and you mentioned that this role service isn't installed. That explains why the CertSrv site is missing, although there may be no way to figure out why the role service isn't currently installed, assuming it was previously.
TrevorWhiteIT ConsultantAuthor Commented:
OK That's great. I'll remove the ADCA and then reinstall as discussed and report back her when done.
Again, thanks for your time with this.

PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Radhakrishnan R (https:#a42371684)
-- DrDave242 (https:#a42375756)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.