Certificate autoenrollment fails with RPC server is unavailable

Hi again,

Some of my work with Certification Authority or ADCS involves enrolling certificates for many usages,
sometimes autoenrollment does not work as it should… and you get some weird errors like:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from CA.domain.localDomain-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

also along with some KDC certificate errors because the domain controller does not hold a valid domain controller certificate:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

This happens when you create your CA on a Domain Controller and the “Domain Controllers” security group is missing from the “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

have a look in the following post for more autoenrollment issues and how to fix’em:
http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx

The KDC error reference:
http://technet.microsoft.com/en-us/library/cc734096%28WS.10%29.aspx

Local operating system boot fails when external storage is attached

Well the topic explains this quite enough..

but I’d like to share little more.

A typical Exchange 2010 deployment based on Server 2008 R2, we used IBM Blade Center HS22 this time with a QLogic HBA to connect to an EMC Symmetrix storage with FC … okay, enough hardware talk. 🙂

The “symptom” was that after connecting the LUN’s to the and creating the partitions, well the next reboot to the server was .. unsuccessful… shocked as we were, after some quite tryouts: Drivers, Firmware upgrades, disable that and disable that … and when all failed …some searching, we came up with a few links… all seem to be quite “close but no cigar”.

Local operating system boot fails when external storage is attached – IBM System x3550 M2, x3650 M2 and BladeCenter HS22

UEFI-aware OS doesn’t boot after load defaults or deployment – IBM BladeCenter and System x

The system becomes unbootable after you add raw disks to a Windows Server 2008 R2-based computer that has EFI enabledhttp://support.microsoft.com/kb/975535

First real world experiences with IBM’s x3650 M2

The last link includes a comment by “Rudi” , which gave us a good idea. lets try it again…

well, we did ! and guess what ?? IT WORKED.

Quick wrap up:

1) HS22 BladeCenter – Server boots from local raid-1 SAS disks with a GUID Partition Table (GPT) – Server 2008 R2 EFI boot loader.

2) 21 LUN’s attached with FC from a EMC Symmetrix storage (MBR).

Solution:

3) Make sure you initialize all drives with GPT – Guid Partition Table. that’s it !

Smile 🙂

** quick notice. to sum all the other links, if you use a non uefi aware OS (basically only server 2008+ is uefi aware) you need to make sure to use the “Legacy Only” method.

Hope this helps, we spent quite some time around this issue.

Exchange 2007 SP2 for SBS 2008 installation tool available !

Error:
You must update your Windows Small Business Server 2008 settings both before and after you install Exchange Server 2007 Service Pack 2 (SP2). Before installing SP2 for Exchange Server 2007, read the detailed information at http://go.microsoft.com/fwlink/?LinkId=155135.

http://support.microsoft.com/?kbid=974271

At last, a installation too for easy install of Exchange 2007 SP2 for SBS 2008,  no more “hacking” the sbs 2008 server…

Great News, Enjoy !

Where did “newsid” go ? seems mark got the answer

Mark posted a great post about this ancient urban legend, “The Machine SID Duplication Myth”

For the record, just remember that NewSID was never the solution for imaging a computer as a template.
And i’ll quote some of mark’s post and leave you to read the rest on his blog..

On November 3 2009, Sysinternals retired NewSID, a utility that changes a computers machine Security Identifier (machine SID). I wrote NewSID in 1997 (its original name was NTSID) because the only tool available at the time for changing machine SIDs was the Microsoft Sysprep tool, and Sysprep doesn’t support changing the SIDs of computers that have applications installed. A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right? At least that’s been the conventional wisdom.

….I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft’s support policy will still require cloned systems to be made unique with Sysprep.

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Enjoy !

Thanks mark for the clarification.

Memory & Exchange x64 bit Technology

Well, as far as deployments , it’s seems that “most” implementations are rather normally okay, there’s times when memory issues did rise and troubleshooting this might be a real pain..

Mostly, i’d deal with a mail server that has no less then 16gb and is an all-in-one configuration, running 64bit Server 2003 sp2 with extra special care for all drivers , updates , prerequisites & page file configurations.

Usually, even if they run All roles + an Anti Virus product , while carefully setting backup & maintenance times, things go smooth.

Yet, there are times when the server is having issues, while troubleshooting is necessary of course, i’d rather go with the future spirit & just think my way up to Server 2008 .
Check out the Blog from mike in the Exchange Team blog it has some great links and more deep explanations..

server 2008 manages this issues out of box and the applications are far more compatible, easier life for all of us. really.

uh and yea i’m running vista sp1.

SeSecurityPrivilege issues while running setup for Exchange 2007

So, yet another implamentation of exchange, this time i’ve encounted the following error while installing the CAS role on the server.

Setup exited with the following error:

The process does not possess the ‘SeSecurityPrivilege‘ privilege which is required for this operation.

Searching the privilege showed that “Exchange Servers” & more accurate in our situation , the “Domain Administrators were not configured in the “Manage auditing and security log” , because the Default Domain Policy & Default Domain Controllers Policy GPO’s was re-created and the default ones were left with the link set to off.

Easy to monitor those privileges with whoami.exe from the support tools, i love it that the server 2008 installs them all as dependencies !

Once we’ve added the DomainAdministrators , DomainExchange Servers to the policy , setup ran okay 🙂