Hi Vadims,
I have two enterprise CAs in my test AD - if they are both in the running state the Get-CA command provides the following information (as expected):
__get-certificationauthority__
Chipeater Class 3 Primary CA PPC3P01.ppcnfoun... True Running Enterprise Subordinate CA
Chipeater Class 3 Secondary CA PPC3S01.ppcnfoun... True Running Enterprise Subordinate CA
However, if I stop ADCS on one of the CAs and run the Get-CA command again I get an error (rather than the CA being listed as stopped):
__get-certificationauthority__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20
+ "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ...
I only just realised this when I started using the EnterprisePKI PowerShell script you provided - which "blows up" on me if one of the Enterprise CAs is stopped (the error which I've included a snippet of below seems to be related to the Get-CA problem).
__.\EnterprisePKI.ps1__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
Can you advise whether it is expected that a CA with ADCS stopped would cause this kind of behaviour?
Regards, Chipeater
Comments: Hi Vadims, Here is the output: ``` PS > $error[0].exception.innerexception.stacktrace at CERTADMINLib.CCertAdminClass.GetCAProperty(String strConfig, Int32 PropId, Int32 PropIndex, Int32 PropType, Int32 Flags) at PKI.CertificateServices.CertificateAuthority.BuildKeyMap() at PKI.CertificateServices.CertificateAuthority.initialize() at PKI.CertificateServices.CertificateAuthority.initializeFromConfigString(String computerName, String name) at PKI.CertificateServices.CertificateAuthority..ctor(String computerName, String name) at PKI.CertificateServices.CertificateAuthority.GetCA(String findType, String findValue) at CallSite.Target(Closure , CallSite , RuntimeType , String , String ) ``` I get the exact same stacktrace ouput when I run this command with both CA's ADCS running or with ADCS stopped on one CA (which results in the Get-CA error). I don't know if this sounds right? Cheers, Chipeater
I have two enterprise CAs in my test AD - if they are both in the running state the Get-CA command provides the following information (as expected):
__get-certificationauthority__
Chipeater Class 3 Primary CA PPC3P01.ppcnfoun... True Running Enterprise Subordinate CA
Chipeater Class 3 Secondary CA PPC3S01.ppcnfoun... True Running Enterprise Subordinate CA
However, if I stop ADCS on one of the CAs and run the Get-CA command again I get an error (rather than the CA being listed as stopped):
__get-certificationauthority__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Server\Get-CertificationAuthority.ps1:14 char:20
+ "__ComputerSet" {[PKI.CertificateServices.CertificateAuthority]::GetCA("Server ...
I only just realised this when I started using the EnterprisePKI PowerShell script you provided - which "blows up" on me if one of the Enterprise CAs is stopped (the error which I've included a snippet of below seems to be related to the Get-CA problem).
__.\EnterprisePKI.ps1__
Exception calling "GetCA" with "2" argument(s): "CCertAdmin::GetCAProperty: The RPC server is unavailable. 0x800706ba
(WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)"
Can you advise whether it is expected that a CA with ADCS stopped would cause this kind of behaviour?
Regards, Chipeater
Comments: Hi Vadims, Here is the output: ``` PS > $error[0].exception.innerexception.stacktrace at CERTADMINLib.CCertAdminClass.GetCAProperty(String strConfig, Int32 PropId, Int32 PropIndex, Int32 PropType, Int32 Flags) at PKI.CertificateServices.CertificateAuthority.BuildKeyMap() at PKI.CertificateServices.CertificateAuthority.initialize() at PKI.CertificateServices.CertificateAuthority.initializeFromConfigString(String computerName, String name) at PKI.CertificateServices.CertificateAuthority..ctor(String computerName, String name) at PKI.CertificateServices.CertificateAuthority.GetCA(String findType, String findValue) at CallSite.Target(Closure , CallSite , RuntimeType , String , String ) ``` I get the exact same stacktrace ouput when I run this command with both CA's ADCS running or with ADCS stopped on one CA (which results in the Get-CA error). I don't know if this sounds right? Cheers, Chipeater