Announcement

Collapse
No announcement yet.

Server 2008 R2 Add AD CA role Crashing MMC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2008 R2 Add AD CA role Crashing MMC

    I have a Domain Controller running on Server 2008 R2. I have been attempting to add the Active Directory Certificate Services role and it keeps crashing MMC as soon as I click the check box for the AD CA role in the add roles dialog. I've been searching around online all day and trying a variety of solutions but so far nothing has worked. The only thing that I haven't tried that I've seen suggested is copying MMC registry keys over from another working server. I haven't done this because I don't have access to a similarly configured domain controller to copy from right now.

    *Full disclosure - I am not an IT professional. I am an automation engineer that has been tasked with setting up and maintaining our lab network - so don't assume I know anything. *

    I would much appreciate any thoughts or suggestions anyone may have.

    The server manager log shows this:
    Code:
    5628: 2017-10-04 14:59:55.604 [CBS]                       IsCacheStillGood: True.
    5628: 2017-10-04 15:00:01.205 [Provider]                  System changed since last refresh: False
    5628: 2017-10-04 15:00:07.335 [CAManager]                 Test Initialization: CCertSrvSetup
    5628: 2017-10-04 15:00:07.413 [CAManager]                 Test initialization: True
    5628: 2017-10-04 15:00:08.459 [CAManager]                 Initialization: Creating CCertSrvSetup
    5628: 2017-10-04 15:00:08.459 [CAManager]                 Initialization: Initializing defaults
    5628: 2017-10-04 15:00:08.474 [CAManager]                 Initialization: Getting default key information
    5628: 2017-10-04 15:00:08.474 [CAManager]                 Initialization: Getting existing certificates
    5628: 2017-10-04 15:00:08.490 [CAManager] Error (Id=0) An exception occurred at    at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.GetExistingCACertificates()
       at Microsoft.Windows.ServerManager.CertificateServer.CAManager.UpdateModel(Boolean certificateAuthorityAdded). Exception: 'Attempted to read or write protected memory. This is often an indication that other memory is corrupt.'
    And when MMC crashes, the problem details dialog shows this:
    Code:
    Description:
      Stopped working
    
    Problem signature:
      Problem Event Name:    CLR20r3
      Problem Signature 01:    mmc.exe
      Problem Signature 02:    6.1.7601.23892
      Problem Signature 03:    5990c6ab
      Problem Signature 04:    mscorlib
      Problem Signature 05:    2.0.0.0
      Problem Signature 06:    58e46330
      Problem Signature 07:    4227
      Problem Signature 08:    a9
      Problem Signature 09:    System.AccessViolationException
      OS Version:    6.1.7601.2.1.0.272.7
      Locale ID:    1033
    
    Read our privacy statement online:
      http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
    
    If the online privacy statement is not available, please read our privacy statement offline:
      C:\Windows\system32\en-US\erofflps.txt

  • #2
    It's been a while since i stood up a CA, but don't recall having any issues. The error statement tells you about an illegal memory access. Is there an antivirus install running on this DC? If so, try turning off any On-access scanning and/or Online Protection--basically anything that's running in real time as opposed to a scheduled event like a daily scan. Worst-case, uninstall the AV product completely and try the CA standup again.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Originally posted by RicklesP View Post
      It's been a while since i stood up a CA, but don't recall having any issues. The error statement tells you about an illegal memory access. Is there an antivirus install running on this DC? If so, try turning off any On-access scanning and/or Online Protection--basically anything that's running in real time as opposed to a scheduled event like a daily scan. Worst-case, uninstall the AV product completely and try the CA standup again.
      Thanks for the reply. It does have Microsoft Security Essentials running. I disabled real time protection, still had the issue. I uninstalled it, still the same. And then I rebooted, and it still persists to crash. So it doesn't seem to be an issue with that.

      Maybe I can ask you a different question. All I am trying to do is setup a certificate authority for my vCenter lab here so I don't get the unsecured warning and, hopefully, the stupid client integration plugin starts working properly. Is there another option I have than using this role on my domain controller for a certificate server? I'm just trying to follow along with the VMware documentation on setting this up, but I'm not very familiar with this so I don't really know what other options I might have. Thanks again for giving me a suggestion.

      Comment


      • #4
        All you need to do is import the VMware certificate into your trusted store and that will get rid of those error messages.
        Basically all its telling you is that the certificate that is installed on the vCenter server isn't trusted by your computer. If you trust it import it.
        Where are you getting the error message? When you open the vSphere Client or the web page?
        VMware have and article to help you with this process.
        https://kb.vmware.com/selfservice/mi...rnalId=2108294
        If your using 5.5 browse to the site in IE, click on continue when the cert prompt is given and allow the logon screen to load. Next to the address bar you should see a red shield with a cross through it. Click on this and then click on view certificate. You should then be able to install the certificate from there.
        Last edited by wullieb1; 6th October 2017, 18:36. Reason: Added the 5.5 options

        Comment


        • #5
          Originally posted by wullieb1 View Post
          All you need to do is import the VMware certificate into your trusted store and that will get rid of those error messages.
          Basically all its telling you is that the certificate that is installed on the vCenter server isn't trusted by your computer. If you trust it import it.
          Where are you getting the error message? When you open the vSphere Client or the web page?
          VMware have and article to help you with this process.
          https://kb.vmware.com/selfservice/mi...rnalId=2108294
          If your using 5.5 browse to the site in IE, click on continue when the cert prompt is given and allow the logon screen to load. Next to the address bar you should see a red shield with a cross through it. Click on this and then click on view certificate. You should then be able to install the certificate from there.
          I've tried importing and adding exceptions in IE and Chrome and Firefox, but nothing seems to change. I still get the insecure warning and have to click through to get to the actual page. Even though in IE it says that it successfully imports the certificate. The page you linked looks useful, though for some reason, I do not see the link to Download Trusted Root CA Certificates as it states I should. So I think I'll look more into that. There's only a couple of us that regularly interface with this vSphere installation, so if I don't need to bother with setting up a certificate server, I'd say that's even better.

          Thanks for the info!

          Edit: I think I just found the VMware page for creating CA Signed certificates, I guess it would help to do that first.

          Edit2: Well... looks like I'm back to where I started, I'm following along with this:

          https://kb.vmware.com/selfservice/mi...rnalId=2057223

          and I get to the section of actually generating the Certificate, where I need access to a CA Certificate Authority. The first link when I search for how to find a root CA Server, is https://technet.microsoft.com/en-us/...(v=ws.11).aspx - which is installing the AD CS role on a domain server.
          Last edited by emge; 9th October 2017, 15:55.

          Comment


          • #6
            Where are you installing the certificate? I put mine in the Trusted Root Certificates and it works fine for me.
            By default it puts it into Other People.

            Comment


            • #7
              Originally posted by wullieb1 View Post
              Where are you installing the certificate? I put mine in the Trusted Root Certificates and it works fine for me.
              By default it puts it into Other People.
              So I'm working with a vCenter Server Appliance on a local domain that I manage and own. My understanding is that I need to generate the certificates, they do not yet exist. I think this because of the VMware kb that I've been following, linked below.

              I've gotten through the first section of creating the certificate configuration files, but I'm stuck at the 'Getting the Certificates' section. As I can't install the the role I need on my domain controller, I can't generate the certificates.

              Now, I'm obviously pretty clueless with this, so I have no idea if there is a simpler way for me to accomplish this or not. As I started searching and looking for info, this is what I found and it seemed like the right thing for me to do.
              This article guides you through the configuration of Certificate Authority (CA) certificates for the vCenter Server Appliance 5.5. This process addresses common

              Comment


              • #8
                Try following through this

                https://thevirtualhorizon.com/2013/1...icates-part-1/

                Comment


                • #9
                  Originally posted by wullieb1 View Post
                  Thanks for the link. VERY informative and I certainly feel far more educated about SSL Certificates now. Unfortunately, this still requires the use of the AD CS Role that I am still unable to install. After doing a little searching, it seems there may be an open source alternative to the MS AD CS Role that I might be able to use, but most of the post/articles are a couple years old. So I need to check and see if this alternative is still updated and a viable alternative. Or, I guess I just need to maybe rebuild my domain controller. After a couple weeks of searching, it's not looking likely that I have a solution available to fix this one and get this role installed. So maybe I just need to read up how to properly rebuild or migrate my DC to a new server without screwing up my whole network.

                  Thanks again for trying to help me out. It's much appreciated.
                  EJBCA PKI Certificate Authority software and appliance. Setting up a scalable and flexible PKI for enterprise, government, mobile and IoT.

                  Comment


                  • #10
                    Well. After digging around a little more and getting a little less specific as to what my issue was, I stumbled across another forum post that suggested utilizing powershell to install the role with the verbose setting to get more details about the issue. But, lo and behold, powershell was actually able to successfully install the role. I had no idea this was an option to add or remove windows features. So now I'm off to figure out how to configure this and hopefully generate my SSL certificates successfully.

                    Import-Module ServerManager
                    Get-WindowsFeature
                    Add-WindowsFeature -Name "The Feature Name" -Verbose
                    Edit: I found another page that provides more detail for my specific use of the ADCS role here, since just getting the original Role Binary installed was not the end of the story, I needed to actually configure it as well. See this second link for more info - should anyone else have the same issue I did.
                    https://social.technet.microsoft.com...owershell.aspx
                    Last edited by emge; 12th October 2017, 15:55. Reason: Added additional info and link

                    Comment

                    Working...
                    X