• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 129
  • Last Modified:

AD CS Configuration.

Hi
We have a Server 2012 R2 Standard running as a DC in a small office of about 8 PC running Windows 7 pro. I needed to set up an SSTP VPN service but found that I could not obtain the self signed certificate required for the client PC. Further investigation found that the ADCS Configuration is not complete and cannot be completed.

Visiting the Server Manager and looking at a flagged Notification I see that there is a Post-deployment Configuration notice to 'Configure Active Directory Certificate Services on the destination server' If I start this process I'm presented with a credentials page which is completed just fine so I click Next. Then Role Services has 'Certification Authority' is the only Role selected from the 6 potential Roles available - the remaining 5 can't be ticked they appear greyed out and I can't untick 'Certification Authority' either. The only option I have is to click Previous or Cancel which will not help me to complete the post process.

How can I break out of this cycle whilst keeping the domain active. I'm working remotely from the site through a VNC service.

Can I remove the ADCS Role safely or will this impact the existing client logins etc. I'm assuming it will but not 100% sure.

I have also noticed that the CertSrv site under the Default IIS webpage is not listed. I'm sure this was there not too long ago but again can't be sure. NB This accounts for being unable to access CertSrv on this server either locally or externally.

Some help in at least cleaning this position up would be welcomed.

Regards
0
TrevorWhite
Asked:
TrevorWhite
2 Solutions
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

When you select the 'Add roles' from server manager, you will get only the option for adding the roles, this is the reason why you are unable to untick. If you select remove roles and feature then you will get an option for untick. what i believe in your comment is that your ADCS role would have partially installed but the configuration of CA wouldn't complete. Complete the post installation by selecting existing server key which will then bring services and virtual directories in IIS.

Once you done that, your CA will approve the self signed certificates.
0
 
DrDave242Commented:
Can I remove the ADCS Role safely or will this impact the existing client logins etc.

It sounds like the AD CS role has been installed but never configured, since you get the "Configuration required" notification in Server Manager. If this is the case, removing the role should have no adverse effect on anything.
0
 
TrevorWhiteIT ConsultantAuthor Commented:
Hi Radhakrishnan and DrDave
Thanks for taking time to cover this and my sincere apologies fro not taking quick enough time to respond.
We do still have the issue but have been diverted to another problem - elsewhere.

I'm aware that adding and removing roles are two separate operations.
I haven't progressed to removing the role as I was uncertain if there were any dependencies (on what ever is installed)
The thing is this server has been installed (by me) for some years, but a third party has been tampering (Customer gave an application engineer the password) So I'm certain this was all setup and functioning about 2 months ago. So because of this I'm uncertain if I can remove the role (particularly remotely) with safety.

If this can be confirmed, I understand the recommended route is to remove and then reinstall the ADCA role - will this reinstate the CertSrv site in IIS ???

I'll keep a closer eye on this thread -  ;-)
Regards
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
DrDave242Commented:
If this can be confirmed, I understand the recommended route is to remove and then reinstall the ADCA role - will this reinstate the CertSrv site in IIS ???

The CertSrv site is created by the Certification Authority Web Enrollment role service, and you mentioned that this role service isn't installed. That explains why the CertSrv site is missing, although there may be no way to figure out why the role service isn't currently installed, assuming it was previously.
0
 
TrevorWhiteIT ConsultantAuthor Commented:
OK That's great. I'll remove the ADCA and then reinstall as discussed and report back her when done.
Again, thanks for your time with this.

Regards
0
 
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Radhakrishnan R (https:#a42371684)
-- DrDave242 (https:#a42375756)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now