|
Posted by Mike Smith-Lonergan on October 18, 2005, 4:13 pm
Please log in for more thread options While the error messages may not be causing showstopper issues, they do imply
that something may not work down the road (depending on how the certs you're
issuing are being used).
When the error message states "...when processing requires Active Directory
access", it implies that the CA is configured to publish something to AD
(e.g. user certificates, CRL, CA cert).
Check the CA cert and one of the issued certs to see if any of them have
fields named the following:
- CRL Distribution Point
- Authority Information Access
If any of these contain a non-http:// URL (i.e. ldap:///), this may account
for it.
The other possibility is that the CA is somehow trying to push user certs to
the Active Directory. This isn't supposed to happen unless it's an
Enterprise CA, but just to be sure, look for any additional error messages
that may give further clues as to what particular operations/information are
being attempted by the CA.
Cheers,
--
Mike Smith-Lonergan
Independent Security Consultant
http://paranoidmike.blogspot.com
"param@community.nospam" wrote:
> I have only seen it on boot up. I verified DNS is correct. The reason I went
> with a Stand Alone Root CA was because I am using client certificates for
> some web apps hosted in IIS on some remote machines and I tried and tried
> but never for an Enterprise CA issued client and server cert to work. I
> guess the errors can be safely ignored then.
>
> thanks!
>
>
> > Since you installed it on a domain controller it would have made more
> > sense to be an enterprise CA as you can not take a domain controller
> > offline which would be one reason often a stand alone root CA is used. I
> > have never tried that configuration myself but in general errors
> > contacting Active Directory are often dns related. Make sure that the
> > domain controller is pointing only to itself and/or other domain
> > controllers by it's static IP address as preferred dns server as shown in
> > tcp/ip properties. Run the support tools netdiag and dcdiag on it to see
> > if any further problems are found. It also could be normal for your
> > situation in that the CA installed on that dc can not access AD during the
> > boot up cycle and if similar errors are not seen otherwise while the
> > server is up. --- Steve
> >
> >
> >> Hi all,
> >>
> >> I have a Stand-Alone Root CA installed on my Primary DC and even though
> >> everything appears to be working fine, I keep getting these errors in the
> >> Eventlog whenever I reboot the server:
> >>
> >> Could not connect to the Active Directory. Certificate Services will
> >> retry when processing requires Active Directory access.
> >>
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
> >>
> >> The "Windows default" Policy Module "Initialize" method returned an
> >> error. The specified domain either does not exist or could not be
> >> contacted. The returned status code is 0x8007054b (1355). The Active
> >> Directory containing the Certification Authority could not be contacted.
> >>
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
| 
XML Sitemap