Server 2008 R2 Add AD CA role Crashing MMC

Home Forums Server Operating Systems Windows Server 2008 / 2008 R2 Server 2008 R2 Add AD CA role Crashing MMC

This topic contains 6 replies, has 4 voices, and was last updated by  kunnu 1 year, 2 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts

  • emge
    Member
    #167240

    I have a Domain Controller running on Server 2008 R2. I have been attempting to add the Active Directory Certificate Services role and it keeps crashing MMC as soon as I click the check box for the AD CA role in the add roles dialog. I’ve been searching around online all day and trying a variety of solutions but so far nothing has worked. The only thing that I haven’t tried that I’ve seen suggested is copying MMC registry keys over from another working server. I haven’t done this because I don’t have access to a similarly configured domain controller to copy from right now.

    *Full disclosure – I am not an IT professional. I am an automation engineer that has been tasked with setting up and maintaining our lab network – so don’t assume I know anything. :) *

    I would much appreciate any thoughts or suggestions anyone may have.

    The server manager log shows this:
    5628: 2017-10-04 14:59:55.604 [CBS] IsCacheStillGood: True.
    5628: 2017-10-04 15:00:01.205 [Provider] System changed since last refresh: False
    5628: 2017-10-04 15:00:07.335 [CAManager] Test Initialization: CCertSrvSetup
    5628: 2017-10-04 15:00:07.413 [CAManager] Test initialization: True
    5628: 2017-10-04 15:00:08.459 [CAManager] Initialization: Creating CCertSrvSetup
    5628: 2017-10-04 15:00:08.459 [CAManager] Initialization: Initializing defaults
    5628: 2017-10-04 15:00:08.474 [CAManager] Initialization: Getting default key information
    5628: 2017-10-04 15:00:08.474 [CAManager] Initialization: Getting existing certificates
    5628: 2017-10-04 15:00:08.490 [CAManager] Error (Id=0) An exception occurred at at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.GetExistingCACertificates()
    at Microsoft.Windows.ServerManager.CertificateServer.CAManager.UpdateModel(Boolean certificateAuthorityAdded). Exception: ‘Attempted to read or write protected memory. This is often an indication that other memory is corrupt.'[/CODE]

    And when MMC crashes, the problem details dialog shows this:
    [CODE]Description:
    Stopped working

    Problem signature:
    Problem Event Name: CLR20r3
    Problem Signature 01: mmc.exe
    Problem Signature 02: 6.1.7601.23892
    Problem Signature 03: 5990c6ab
    Problem Signature 04: mscorlib
    Problem Signature 05: 2.0.0.0
    Problem Signature 06: 58e46330
    Problem Signature 07: 4227
    Problem Signature 08: a9
    Problem Signature 09: System.AccessViolationException
    OS Version: 6.1.7601.2.1.0.272.7
    Locale ID: 1033

    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
    C:Windowssystem32en-USerofflps.txt
    [/CODE][CODE]5628: 2017-10-04 14:59:55.604 [CBS] IsCacheStillGood: True.
    5628: 2017-10-04 15:00:01.205 [Provider] System changed since last refresh: False
    5628: 2017-10-04 15:00:07.335 [CAManager] Test Initialization: CCertSrvSetup
    5628: 2017-10-04 15:00:07.413 [CAManager] Test initialization: True
    5628: 2017-10-04 15:00:08.459 [CAManager] Initialization: Creating CCertSrvSetup
    5628: 2017-10-04 15:00:08.459 [CAManager] Initialization: Initializing defaults
    5628: 2017-10-04 15:00:08.474 [CAManager] Initialization: Getting default key information
    5628: 2017-10-04 15:00:08.474 [CAManager] Initialization: Getting existing certificates
    5628: 2017-10-04 15:00:08.490 [CAManager] Error (Id=0) An exception occurred at at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.GetExistingCACertificates()
    at Microsoft.Windows.ServerManager.CertificateServer.CAManager.UpdateModel(Boolean certificateAuthorityAdded). Exception: ‘Attempted to read or write protected memory. This is often an indication that other memory is corrupt.'[/CODE]

    And when MMC crashes, the problem details dialog shows this:
    Description:
    Stopped working

    Problem signature:
    Problem Event Name: CLR20r3
    Problem Signature 01: mmc.exe
    Problem Signature 02: 6.1.7601.23892
    Problem Signature 03: 5990c6ab
    Problem Signature 04: mscorlib
    Problem Signature 05: 2.0.0.0
    Problem Signature 06: 58e46330
    Problem Signature 07: 4227
    Problem Signature 08: a9
    Problem Signature 09: System.AccessViolationException
    OS Version: 6.1.7601.2.1.0.272.7
    Locale ID: 1033

    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
    C:Windowssystem32en-USerofflps.txt
    [/CODE][CODE]Description:
    Stopped working

    Problem signature:
    Problem Event Name: CLR20r3
    Problem Signature 01: mmc.exe
    Problem Signature 02: 6.1.7601.23892
    Problem Signature 03: 5990c6ab
    Problem Signature 04: mscorlib
    Problem Signature 05: 2.0.0.0
    Problem Signature 06: 58e46330
    Problem Signature 07: 4227
    Problem Signature 08: a9
    Problem Signature 09: System.AccessViolationException
    OS Version: 6.1.7601.2.1.0.272.7
    Locale ID: 1033

    Read our privacy statement online:
    http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

    If the online privacy statement is not available, please read our privacy statement offline:
    C:Windowssystem32en-USerofflps.txt
    [/CODE]


    Anonymous
    #372066

    It’s been a while since i stood up a CA, but don’t recall having any issues. The error statement tells you about an illegal memory access. Is there an antivirus install running on this DC? If so, try turning off any On-access scanning and/or Online Protection–basically anything that’s running in real time as opposed to a scheduled event like a daily scan. Worst-case, uninstall the AV product completely and try the CA standup again.


    kunnu
    Member
    #391886
    RicklesP;n514125 wrote:
    It’s been a while since i stood up a CA, but don’t recall having any issues. The error statement tells you about an illegal memory access. Is there an antivirus install running on this DC? If so, try turning off any On-access scanning and/or Online Protection–basically anything that’s running in real time as opposed to a scheduled event like a daily scan. Worst-case, uninstall the AV product completely and try the CA standup again.

    Thanks for the reply. It does have Microsoft Security Essentials running. I disabled real time protection, still had the issue. I uninstalled it, still the same. And then I rebooted, and it still persists to crash. So it doesn’t seem to be an issue with that.

    Maybe I can ask you a different question. All I am trying to do is setup a certificate authority for my vCenter lab here so I don’t get the unsecured warning and, hopefully, the stupid client integration plugin starts working properly. Is there another option I have than using this role on my domain controller for a certificate server? I’m just trying to follow along with the VMware documentation on setting this up, but I’m not very familiar with this so I don’t really know what other options I might have. Thanks again for giving me a suggestion.


    wullieb1
    Moderator
    #245675

    All you need to do is import the VMware certificate into your trusted store and that will get rid of those error messages.
    Basically all its telling you is that the certificate that is installed on the vCenter server isn’t trusted by your computer. If you trust it import it.
    Where are you getting the error message? When you open the vSphere Client or the web page?
    VMware have and article to help you with this process.
    https://kb.vmware.com/selfservice/mi…rnalId=2108294
    If your using 5.5 browse to the site in IE, click on continue when the cert prompt is given and allow the logon screen to load. Next to the address bar you should see a red shield with a cross through it. Click on this and then click on view certificate. You should then be able to install the certificate from there.


    kunnu
    Member
    #391887
    wullieb1;n514145 wrote:
    All you need to do is import the VMware certificate into your trusted store and that will get rid of those error messages.
    Basically all its telling you is that the certificate that is installed on the vCenter server isn’t trusted by your computer. If you trust it import it.
    Where are you getting the error message? When you open the vSphere Client or the web page?
    VMware have and article to help you with this process.
    https://kb.vmware.com/selfservice/mi…rnalId=2108294
    If your using 5.5 browse to the site in IE, click on continue when the cert prompt is given and allow the logon screen to load. Next to the address bar you should see a red shield with a cross through it. Click on this and then click on view certificate. You should then be able to install the certificate from there.

    I’ve tried importing and adding exceptions in IE and Chrome and Firefox, but nothing seems to change. I still get the insecure warning and have to click through to get to the actual page. Even though in IE it says that it successfully imports the certificate. The page you linked looks useful, though for some reason, I do not see the link to Download Trusted Root CA Certificates as it states I should. So I think I’ll look more into that. There’s only a couple of us that regularly interface with this vSphere installation, so if I don’t need to bother with setting up a certificate server, I’d say that’s even better.

    Thanks for the info!

    Edit: I think I just found the VMware page for creating CA Signed certificates, I guess it would help to do that first. :)

    Edit2: Well… looks like I’m back to where I started, I’m following along with this:

    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2057223

    and I get to the section of actually generating the Certificate, where I need access to a CA Certificate Authority. The first link when I search for how to find a root CA Server, is https://technet.microsoft.com/en-us/library/cc731183(v=ws.11).aspx – which is installing the AD CS role on a domain server.


    wullieb1
    Moderator
    #245676

    Where are you installing the certificate? I put mine in the Trusted Root Certificates and it works fine for me.
    By default it puts it into Other People.


    wullieb1
    Moderator
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.