Windows 2003 Subordinate Certification Authority

We have a Windows 2003 R1 domain with 2 domain controllers. One of the DCs
has an Enterprise Windows Certificate authority on it. If that server goes
down then the other servers don't trust anyone and no one can login or use
the databases. If I install a Subordinate Certification Authority Service on
the other domain controller will it take over and keep everything going
while the other server is down? Is there anything I need to watch out for if
I do install the Subordinate?

Hi ProgDev,

Thank you for posting in Newsgroup.

According to your description, I understand that there are 2 domain
controllers in the domain, and you installed Enterprise CA role on one of
the DCs as well. You found that no one can login to the system if the DC
(Enterprise CA installed) is down. If there is anything I have
misunderstood, please feel free to let me know.

What is the error message when you attempted to logon the domain?
Are you using smart card logon?

Based on my understanding, this issue may not be CA role related. A
possible cause could be the DC which Enterprise CA role is installed on is
also a Global Catalog (GC) server, but the other DC is not. In a
Native-mode domain, the domain controller that is authenticating the user's
logon request needs to locate a GC in order to construct the universal
groups to which that user belongs. If a GC server cannot be located by the
domain controller, the user may be denied to logon.

Please enable "Universal Group Membership Caching" and check if the issue
can be resolved. This feature allows a domain controller that is running
Windows Server 2003 to cache global group SIDs and universal group SIDs
that it retrieves from a global catalog server so that future logons do not
require contacting a global catalog server.

To enable Universal Group Membership Caching:
===========================

In Active Directory Sites and Services, if you click a site object, the
NTDS Site Settings object for the site is visible in the details pane.
Right-click the NTDS Site Settings object and then click Properties. In the
NTDS Site Settings Properties dialog box, click Enable Universal Group
Membership Caching.

For more information about Global Catalog server, please refer to the
following article:

How the Global Catalog Works
http://technet.microsoft.com/en-us/l.../cc737410.aspx

If I remember correctly, as it has been a while since this happened, the
error messages were something about not being able to open a trusted
connection. It affected logins our wireless and opening SQL databases which
is why we though that it must be the Certificate server.

Actuall it is the other Domain Controller that has the Global Catalog, the
one that was silll up. But I did enable the caching, thanks for that. We
only have the one domain so I am thinking that it may be a good idea to make
both the Domain Controllers Global Catlog servers?


""Joson Zhou (MSFT)"" <v-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi ProgDev,
>
> Thank you for posting in Newsgroup.
>
> According to your description, I understand that there are 2 domain
> controllers in the domain, and you installed Enterprise CA role on one of
> the DCs as well. You found that no one can login to the system if the DC
> (Enterprise CA installed) is down. If there is anything I have
> misunderstood, please feel free to let me know.
>
> What is the error message when you attempted to logon the domain?
> Are you using smart card logon?
>
> Based on my understanding, this issue may not be CA role related. A
> possible cause could be the DC which Enterprise CA role is installed on is
> also a Global Catalog (GC) server, but the other DC is not. In a
> Native-mode domain, the domain controller that is authenticating the
> user's
> logon request needs to locate a GC in order to construct the universal
> groups to which that user belongs. If a GC server cannot be located by the
> domain controller, the user may be denied to logon.
>
> Please enable "Universal Group Membership Caching" and check if the issue
> can be resolved. This feature allows a domain controller that is running
> Windows Server 2003 to cache global group SIDs and universal group SIDs
> that it retrieves from a global catalog server so that future logons do
> not
> require contacting a global catalog server.
>
> To enable Universal Group Membership Caching:
> ===========================
>
> In Active Directory Sites and Services, if you click a site object, the
> NTDS Site Settings object for the site is visible in the details pane.
> Right-click the NTDS Site Settings object and then click Properties. In
> the
> NTDS Site Settings Properties dialog box, click Enable Universal Group
> Membership Caching.
>
> For more information about Global Catalog server, please refer to the
> following article:
>
> How the Global Catalog Works
> http://technet.microsoft.com/en-us/l.../cc737410.aspx
>

Hi,

Thank you for your response.

Yes, it is recommended to make both the Domain Controllers Global Catalog
servers in a single domain environment.

Regarding the issue, is there any related event logged in the system?
Traditionally, a PKI uses a distributed method of verification so that the
clients do not have to contact the Certification Authority (CA) directly to
validate the credentials presented. Instead, clients connect to alternate
resources, such as Web servers or Lightweight Directory Access Protocol
(LDAP) directories, where the CA has published its revocation information.
As a result, the issue may not be caused by the CA offline.

For more information:

Certificate Revocation and Status Checking
http://technet.microsoft.com/en-us/l...7027.aspx#EJAA


I suggest that you run the PKI Health Tool (pkiview.msc) utility to analyze
the health state of the PKI environment:

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/d...A69-57FF-4AE7-
96EE-B18C4790CFFD&displaylang=en

If the CA passes all the tests, please also run the command repadmin
/showrepl to check the replication status on both Domain Controllers.

Thanks for bearing with me. I am a part time sysadmin at a nonprofit. I do
PC Support, programming, user support and network support for 120 users and
6 servers. I don't get a lot of time to mess around with the network so
there are a lot of areas I don't have much knowledge about and the PKI stuff
is one of them.

It looks like the replication is OK

C:\>repadmin /showrepl
repadmin running command /showrepl against server localhost
Default-First-Site-Name\FSDC1
DC Options: (none)
Site Options: IS_GROUP_CACHING_ENABLED
DC object GUID: 9e6d98fd-7e99-4983-9e8c-369ed388fb39
DC invocationID: c23340b9-64e8-4bb1-b063-a32588cb736f
==== INBOUND NEIGHBORS ======================================
DC=LifeCareAlliance,DC=org
Default-First-Site-Name\DCBACKUP2 via RPC
DC object GUID: b35b0eaf-0161-4878-a706-c3df2026043f
Last attempt @ 2009-02-25 10:39:54 was successful.
CN=Configuration,DC=LifeCareAlliance,DC=org
Default-First-Site-Name\DCBACKUP2 via RPC
DC object GUID: b35b0eaf-0161-4878-a706-c3df2026043f
Last attempt @ 2009-02-25 10:11:23 was successful.
CN=Schema,CN=Configuration,DC=LifeCareAlliance,DC= org
Default-First-Site-Name\DCBACKUP2 via RPC
DC object GUID: b35b0eaf-0161-4878-a706-c3df2026043f
Last attempt @ 2009-02-25 09:50:52 was successful.
DC=DomainDnsZones,DC=LifeCareAlliance,DC=org
Default-First-Site-Name\DCBACKUP2 via RPC
DC object GUID: b35b0eaf-0161-4878-a706-c3df2026043f
Last attempt @ 2009-02-25 09:50:53 was successful.
DC=ForestDnsZones,DC=LifeCareAlliance,DC=org
Default-First-Site-Name\DCBACKUP2 via RPC
DC object GUID: b35b0eaf-0161-4878-a706-c3df2026043f
Last attempt @ 2009-02-25 09:50:53 was successful.

This is what I get in PKI view. The Xs indicate a big red X which I am
guessing indicates big trouble.

X Enterprise PKI
LcaDcBackup2
X LifeCareCA

CA Certificate OK
AIA Location #1 OK ldap:///CN=LifeCareCA, CN=AIA,
CN=Public%20%Key%20Services ....
X AIA Location #2 Unable to Download
http://fsdc1.lifecarealliance.org/Ce...LifeCareCA.crt
CDP Location #1 OK
DeltaCRL Location #1 OK
X DeltaCRL Location #2 Unable to Download
http://fsdc1.lifecarealliance.org/Ce...ifeCareCA+.crl
X CDP Location #2 Unable to Download
http://fsdc1.lifecarealliance.org/Ce...LifeCareCA.crl

DcBackup2 is our other Domain Controller. It has a local certification
authority that I installed when I was trying to get one of our users Windows
Mobil phone to work.

Not sure where to go from here.

""Joson Zhou (MSFT)"" <v-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> Thank you for your response.
>
> Yes, it is recommended to make both the Domain Controllers Global Catalog
> servers in a single domain environment.
>
> Regarding the issue, is there any related event logged in the system?
> Traditionally, a PKI uses a distributed method of verification so that the
> clients do not have to contact the Certification Authority (CA) directly
> to
> validate the credentials presented. Instead, clients connect to alternate
> resources, such as Web servers or Lightweight Directory Access Protocol
> (LDAP) directories, where the CA has published its revocation information.
> As a result, the issue may not be caused by the CA offline.
>
> For more information:
>
> Certificate Revocation and Status Checking
> http://technet.microsoft.com/en-us/l...7027.aspx#EJAA
>
>
> I suggest that you run the PKI Health Tool (pkiview.msc) utility to
> analyze
> the health state of the PKI environment:
>
> Windows Server 2003 Resource Kit Tools
> http://www.microsoft.com/downloads/d...A69-57FF-4AE7-
> 96EE-B18C4790CFFD&displaylang=en
>
> If the CA passes all the tests, please also run the command repadmin
> /showrepl to check the replication status on both Domain Controllers.
>

Hi,

Yes, the replication between the domain controllers is OK.

According to the results of pkiview, I understand that there are two AIA
and CDP locations. The location #1 (LDAP) is OK, but the location #2 (HTTP)
does not work properly. That means the workgroup clients may face problem
when they need to verify certificate, but if the clients are joined the
domain, they should work properly.

Since we do not have any information when the issue happened, I would like
to confirm if it is possible to reproduce the issue and collect the
following information for further research:

1. What is the exact error message when a user tries to logon to the domain
when one of the domain controllers is down? Please let us know the exact
error message. To isolate the influence of wireless, please let the user
logon to the domain via a wired client.
2. When does this issue happen? Is it when users try to logon to Windows or
try to login to SQL server?
3. What is the exact error when a user tries to establish a wireless
connection?
4. When this problem is reproduced, please collect MPSReport on two domain
controllers and a problematic client:

a. Download the executable file from the following URL
http://download.microsoft.com/downlo...5-a579-30b0bd9
15706/MPSRPT_DirSvc.EXE

b. Run the file on the machines.
c. After the tool finishes gathering the information, copy the cab file
from the following folder:

C:\WINDOWS\MPSReports\DirSvc\cab

In addition, please ensure that DNS is installed on both domain controllers
and all the client machines are configured to use both of them for DNS name
resolution.

How to configure TCP/IP to use DNS in Windows XP
http://support.microsoft.com/kb/305553

Sincerely,
Joson Zhou
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Sorry to be so long in returning. I guess things must have changed on the
network because I can't reproduce the problem now. I was able to log into a
client and run the databases no problem with this domain controller shut
down. I now have plans to put a RAID 5 array into this computer soon so I
guess I don't need to worry much about it.

Thanks.


""Joson Zhou (MSFT)"" <v-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> Yes, the replication between the domain controllers is OK.
>
> According to the results of pkiview, I understand that there are two AIA
> and CDP locations. The location #1 (LDAP) is OK, but the location #2
> (HTTP)
> does not work properly. That means the workgroup clients may face problem
> when they need to verify certificate, but if the clients are joined the
> domain, they should work properly.
>
> Since we do not have any information when the issue happened, I would like
> to confirm if it is possible to reproduce the issue and collect the
> following information for further research:
>
> 1. What is the exact error message when a user tries to logon to the
> domain
> when one of the domain controllers is down? Please let us know the exact
> error message. To isolate the influence of wireless, please let the user
> logon to the domain via a wired client.
> 2. When does this issue happen? Is it when users try to logon to Windows
> or
> try to login to SQL server?
> 3. What is the exact error when a user tries to establish a wireless
> connection?
> 4. When this problem is reproduced, please collect MPSReport on two domain
> controllers and a problematic client:
>
> a. Download the executable file from the following URL
> http://download.microsoft.com/downlo...5-a579-30b0bd9
> 15706/MPSRPT_DirSvc.EXE
>
> b. Run the file on the machines.
> c. After the tool finishes gathering the information, copy the cab file
> from the following folder:
>
> C:\WINDOWS\MPSReports\DirSvc\cab
>
> In addition, please ensure that DNS is installed on both domain
> controllers
> and all the client machines are configured to use both of them for DNS
> name
> resolution.
>
> How to configure TCP/IP to use DNS in Windows XP
> http://support.microsoft.com/kb/305553
>
> Sincerely,
> Joson Zhou
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>