Active Directory : Publish Third Party CA Certificate / Offline Standalone RootCA in Active Directory

Active Directory : Publish Third Party CA Certificate / Offline Standalone RootCA in Active Directory

In order to ensure that your certificiate chain is valid when using an offline RootCA or Tird Party RootCA you must publish the CA certificate in Active Directory. This will replicate the certificate to all machines in the domain, ensuring that the chain is indeed valid for all clients.

To achieve this, export the certificate in DER format and then use the following command to import it into AD: certutil -dspublish -f file_name.cer RootCA

You can test replication by forcing a Group Policy refresh on a client, the cetificate should be replicated as part of this operation.

DCOM Event ID 10016 : Removable Storage Service

DCOM Event ID 10016 : Removable Storage Service

HP Dataprotector requires that the Removable Storage Service be disabled on each fibre attached host in order to stop Network Storage Routers being flooded, and interruption of Dataprotector activities.

By disabling this service you will find that the following event is logged on each host under the system event log every time a backup is run:

Event Type:    Error
Event Source:    DCOM
Event Category:    None
Event ID:    10016
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
 to the user ECOMMERCE\svc_dpagent SID (S-1-5-21-2426429480-712720545-947854963-1642).  This security permission can be modified using the Component Services administrative tool.

In order to resolve this issue perform the following steps:

  1. Start > Run > dcomcnfg 
  2. Expand Component Services > Computers > My Computer >DCOM Config
  3. Locate the ‘Removable Storage Manage’ object, right-click and select properties
  4. Select the location tab and uncheck the ‘Run application on this computer‘ box.
  5. Now backup and delete the following registery keys:
    1. LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{D61A27C6-8F53-11D0-BFA0-00A024151983}
    2. LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{D61A27C1-8F53-11D0-BFA0-00A024151983}
  6. Finally reboot the affected host.

Dataprotector : Not a valid mount point => aborting.

Dataprotector : Not a valid mount point => aborting.

I recently came across the following error when setting up a new DP backup for a Windows Server 2003 x64 R2 SP2 cluster:

  Volume Shadow Copy functionality could not be initialized.
  Fallback to legacy filesystem backup was not allowed. Aborting the backup.
  Not a valid mount point => aborting.

I was also presented with the followingerror in the Application event log on the server:

  Event Type:    Error
  Event Source:    VSS
  Event Category:    None
  Event ID:    11
  Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005]

On investigation I installed the KB940349 VSS update (http://support.microsoft.com/kb/940349), after rebooting each host, VSS backup functionality was restored.

Windows Server 2003 : Clustering MSMQ Client

Windows Server 2003 : Clustering MSMQ Client

On Windows Server 2003 x64 it is possible to cluster the MSMQ Independent client (first you must MSMQ core via Add/Remove Programs).

Once complete you will be able to create an MSMQ resource under a cluster group, this will require the following dependencies:

  • Network Name Resource
  • Physical Disk Resource

You will also need to configure permissions on the Network Name resource to Create/Delete MSMQ Configuration Objects otherwise you will be presented witht he following error in the application event log:

Event Type:    Error
Event Source:    MSMQ Cluster Resource DLL
Event ID:    2011
Message Queuing objects cannot be created in Active Directory (Error: 0xc00e0040). Please verify your permissions and network connectivity.

This can be achieved by modifying the DACL of the Network Name resource in Active Directory.

It is important to note that when clustering MSMQ you cannot use a volume that is assigned a mount point, if you use a mount point the MSMQ configuration will become invalid. This can be checked under the following registry key; HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Clustered QMs\MSMQ$[Resource Name]\Parameters\MsmqRootPath You will also get the following event in the application event log:

Event Type:    Error
Event Source:    MSMQ$MSMQ2
Event ID:    2096
The Message Queuing folder cannot be created.

You can configure multiple MSMQ resources on a Windows cluster, each should have its own physical disk and network name.