Hi Vadims,
I have two enterprise CAs in my test AD - if they are both in the running state the Get-CA command provides the following information (as expected):
__get-certificationauthority__
Chipeater Class 3 Primary CA PPC3P01.ppcnfoun... True Running Enterprise Subordinate CA
Chipeater Class 3 Secondary CA PPC3S01.ppcnfoun... True Running Enterprise Subordinate CA
However, if I stop ADCS on one of the CAs and run the Get-CA command again I get an error (rather than the CA being listed as stopped):
__get-certificationauthority__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20
+ "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ...
I only just realised this when I started using the EnterprisePKI PowerShell script you provided - which "blows up" on me if one of the Enterprise CAs is stopped (the error which I've included a snippet of below seems to be related to the Get-CA problem).
__.\EnterprisePKI.ps1__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
Can you advise whether it is expected that a CA with ADCS stopped would cause this kind of behaviour?
Regards, Chipeater
Comments: Hi Vadims, I'm not sure what is meant by a stack trace - is it just the error information that was displayed on screen? If so, here is the error when ADCS is stopped on one of the CAs: ``` PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSPKI> get-certificationauthority | format-list Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)" At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20 + "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : COMException ``` Regarding the ADCS versions, I did a Get-CA format list (with ADCS running on both CAs) so you can see all the relevant information: ``` Name : Chipeater Class 3 Primary CA DisplayName : Chipeater Class 3 Primary CA ComputerName : C3P01.Chipeater.uk ConfigString : C3P01.Chipeater.uk\Chipeater Class 3 Primary CA DistinguishedName : CN=Chipeater Class 3 Primary CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Chipeater Type : Enterprise Subordinate CA OperatingSystem : Microsoft Windows Server 2012 R2 Standard IsAccessible : True RegistryOnline : True ServiceStatus : Running SetupStatus : ServerInstall, SecurityUpgraded, ServerIsUptoDate Certificate : [Subject] CN=Chipeater Class 3 Primary CA [Issuer] CN=Chipeater Root CA [Serial Number] 61106757000000000003 [Not Before] 25/09/2014 14:21:00 [Not After] 25/09/2024 14:21:00 [Thumbprint] 14E5C592775BC6E2460B0E8C39DC9670A682DEA9 BaseCRL : System.Security.Cryptography.X509Certificates.X509CRL2 DeltaCRL : EnrollmentServiceURI : Name : Chipeater Class 3 Secondary CA DisplayName : Chipeater Class 3 Secondary CA ComputerName : C3S01.Chipeater.uk ConfigString : C3S01.Chipeater.uk\Chipeater Class 3 Secondary CA DistinguishedName : CN=Chipeater Class 3 Secondary CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Chipeater Type : Enterprise Subordinate CA OperatingSystem : Microsoft Windows Server 2012 R2 Standard IsAccessible : True RegistryOnline : True ServiceStatus : Running SetupStatus : ServerInstall, SecurityUpgraded, ServerIsUptoDate Certificate : [Subject] CN=Chipeater Class 3 Secondary CA [Issuer] CN=Chipeater Root CA [Serial Number] 6116CB92000000000004 [Not Before] 25/09/2014 14:27:59 [Not After] 25/09/2024 14:27:59 [Thumbprint] 6BCCBF47EF6F15C0FBAF9C17FDC63428847DA99F BaseCRL : System.Security.Cryptography.X509Certificates.X509CRL2 DeltaCRL : EnrollmentServiceURI : ``` Note: I have done a very lazy anonymisation effort on the output so some of the names are messed up badly and don't make sense. I have installed PSPKI (and am running the Get-CA command) from a Win2012 R2 member server (not one of the ADCS servers). Regards, Chipeater
I have two enterprise CAs in my test AD - if they are both in the running state the Get-CA command provides the following information (as expected):
__get-certificationauthority__
Chipeater Class 3 Primary CA PPC3P01.ppcnfoun... True Running Enterprise Subordinate CA
Chipeater Class 3 Secondary CA PPC3S01.ppcnfoun... True Running Enterprise Subordinate CA
However, if I stop ADCS on one of the CAs and run the Get-CA command again I get an error (rather than the CA being listed as stopped):
__get-certificationauthority__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20
+ "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ...
I only just realised this when I started using the EnterprisePKI PowerShell script you provided - which "blows up" on me if one of the Enterprise CAs is stopped (the error which I've included a snippet of below seems to be related to the Get-CA problem).
__.\EnterprisePKI.ps1__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
Can you advise whether it is expected that a CA with ADCS stopped would cause this kind of behaviour?
Regards, Chipeater
Comments: Hi Vadims, I'm not sure what is meant by a stack trace - is it just the error information that was displayed on screen? If so, here is the error when ADCS is stopped on one of the CAs: ``` PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSPKI> get-certificationauthority | format-list Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)" At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20 + "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : COMException ``` Regarding the ADCS versions, I did a Get-CA format list (with ADCS running on both CAs) so you can see all the relevant information: ``` Name : Chipeater Class 3 Primary CA DisplayName : Chipeater Class 3 Primary CA ComputerName : C3P01.Chipeater.uk ConfigString : C3P01.Chipeater.uk\Chipeater Class 3 Primary CA DistinguishedName : CN=Chipeater Class 3 Primary CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Chipeater Type : Enterprise Subordinate CA OperatingSystem : Microsoft Windows Server 2012 R2 Standard IsAccessible : True RegistryOnline : True ServiceStatus : Running SetupStatus : ServerInstall, SecurityUpgraded, ServerIsUptoDate Certificate : [Subject] CN=Chipeater Class 3 Primary CA [Issuer] CN=Chipeater Root CA [Serial Number] 61106757000000000003 [Not Before] 25/09/2014 14:21:00 [Not After] 25/09/2024 14:21:00 [Thumbprint] 14E5C592775BC6E2460B0E8C39DC9670A682DEA9 BaseCRL : System.Security.Cryptography.X509Certificates.X509CRL2 DeltaCRL : EnrollmentServiceURI : Name : Chipeater Class 3 Secondary CA DisplayName : Chipeater Class 3 Secondary CA ComputerName : C3S01.Chipeater.uk ConfigString : C3S01.Chipeater.uk\Chipeater Class 3 Secondary CA DistinguishedName : CN=Chipeater Class 3 Secondary CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Chipeater Type : Enterprise Subordinate CA OperatingSystem : Microsoft Windows Server 2012 R2 Standard IsAccessible : True RegistryOnline : True ServiceStatus : Running SetupStatus : ServerInstall, SecurityUpgraded, ServerIsUptoDate Certificate : [Subject] CN=Chipeater Class 3 Secondary CA [Issuer] CN=Chipeater Root CA [Serial Number] 6116CB92000000000004 [Not Before] 25/09/2014 14:27:59 [Not After] 25/09/2024 14:27:59 [Thumbprint] 6BCCBF47EF6F15C0FBAF9C17FDC63428847DA99F BaseCRL : System.Security.Cryptography.X509Certificates.X509CRL2 DeltaCRL : EnrollmentServiceURI : ``` Note: I have done a very lazy anonymisation effort on the output so some of the names are messed up badly and don't make sense. I have installed PSPKI (and am running the Get-CA command) from a Win2012 R2 member server (not one of the ADCS servers). Regards, Chipeater