Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

I recently had the opportunity to make some infrastructure changes to my Active Directory (AD) installation.  The domain in question plays the dual role of production and test environment, so the stakes are pretty high when I make changes!  That’s certainly not advisable, but I’m sure I’m not the only one in that situation.

Anyway, in bringing up a new server and Domain Controller (DC), I also had occasion to uninstall and re-install my Certificate Authority (CA) a few times.  Let’s just say this whole thing was a great learning experience.  Here’s a summary of the educational tidbits I picked up.


Domain Controller Installation

I followed the steps in this article - http://support.microsoft.com/kb/884453/en-us - in an attempt to introduce Windows Small Business Server (SBS) into my existing domain.  The goal was to move the Global Catalog and the various Domain Controller "Master" roles to the SBS machine.  In theory, this allows replication to complete so nothing is lost, which would then allow me to safely decommission the old DC. 

It didn’t work.  It would appear that replication at least partially, if not completely, failed.  Once I started to suspect that something was wrong, I immediately tried step #11 (i.e. click Replicate Now on the secure link between the two machines, listed in the AD Sites and Services snap-in) in the above article as a sanity check.  I believe the resulting error was "RPC server not available - check your DNS."  So helpful.

The suspected cause is that I changed the network configuration settings on the old DC too early.  The challenge precipitating that change was this:  during its semi-automatic configuration process following Windows setup, SBS wants to assert itself as both a DNS and a DHCP server.  Yes, that’s good as a default.  But in an environment where the existing DC provides DNS, a separate router provides DHCP, and the new server wants to do both, I was in way over my head.  The net (pun intended) result: I recreated the domain from scratch.  Bummer. 

For what it’s worth, once I got the new DNS and DHCP services working correctly on the new SBS DC, I knew I’d done the right thing.  I verified this with a test client laptop.  In my experience, once the network stuff is working, the remaining configuration steps (e.g. User and Computer accounts) are gravy.


Certificate Authority Installation

The next challenge was that I’d allowed SBS to install a CA, but came to realize that the "Standard server SKU" version of the CA installed by the SBS package only supports V1 certificate templates.  That’s unacceptable for my testing requirements.  The standard SKU does support auto-enrollment, though - more on that later.  Fortunately, I still had access to the VMware-based Windows Advanced Server (ADS) which had hosted an Enterprise CA in the previous incarnation of my domain. 

My first step was to uninstall the SBS CA via Add/Remove Programs (ARP).  I speculated that some additional AD cleanup might be necessary, but I didn’t pursue it - more on that later.

Next, I brought up the ADS machine, disjoined and joined it to the new domain, uninstalled the CA, and re-installed the CA (again, via ARP).  As a sanity check, I opened the mmc.exe CA snap-in to confirm that the full V2 cert template support was there.  To my great dismay, there were no templates listed at all!  The problem was that I had just installed the CA component via the local administrator account, which doesn’t have rights to write the template information into AD.  Brilliant.  In my defense, the reason I’d logged in as local admin as opposed to Enterprise Admin (EA) was that I didn’t want to over-use the more powerful account.

So I again uninstalled the CA as local admin, logged on as EA, and re-installed the CA.  Now the expected templates were present.  Good!


Troubleshooting Auto-Enrollment

The final requirement was to get smart card logon working in the new domain.  To complicate matters, the new DC had auto-enrolled for a machine certificate from the standard SKU CA which no longer existed.  And for some reason, my client workstations weren’t obtaining machine certs at all.  Strangely, smart card logon had worked for a brief period, but was now failing with, "your credentials could not be verified."  So helpful.

The first thing I tried was running "gpupdate.exe /force" at the command line.  I hoped that maybe auto-enrollment would notice that the old CA was no longer present, and that pulsing Group Policy would result in enrollment against the new CA.  No such luck. 

This article - http://support.microsoft.com/?kbid=889250 - made me realize that uninstalling a CA via ARP doesn’t remove the related information in AD.  After that, it seemed natural that the old AD data was confusing auto-enrollment.  In fact, I found the steps in that article to be needlessly confusing.  The following got me un-stuck:

  1. Run "certutil.exe -dsdel <CAname>" for each dead CA, to remove the related turds from AD.  Note that CAname is not the name of the server, but of the CA itself.
  2. On the DC, via the mmc.exe Certificates snap-in, delete the machine certificate and the trusted root certificate from the dead CA. 
  3. Also on the DC, do a "gpupdate.exe /force"
  4. Wait a few minutes

Result - everything is fixed.  All of the machines now have certs and smart card logon works.  Whew!

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment