none
2003域CA服务器错误 RRS feed

  • 问题

  • 之前有提出过此问题,但是因为各种原因,管理员给结束了此问题,我的后续回答没有高手帮忙提出建议,在此重新提出,望各位高人给出解答,谢谢!

    环境: 根域:root.com 子域:DG.com.local 子域有一CA服务器(此服务器非DC),域中有两台DC,之间没有防火墙。现在每天定时会报很多条错: Event Type: Error Event Source: CertSvc Event Category: None Event ID: 74 Date: 2011-12-27 Time: 20:23:52 User: N/A Computer: SG-TXG-GTWY1 Description: Certificate Services could not publish a Base CRL for key 3 to the following location on server sg-txg-dc2a.sangem.pri.local: ldap:///CN=MailServer(3),CN=sg-txg-gtwy1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=pri,DC=local. Directory object not found. 0x8007208d (WIN32: 8333). ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=sg-txg-gtwy1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=pri,DC=local' For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    同时DC上有如下警告信息:

    DC上有警告信息如下:

    Event Type: Warning
    Event Source: KDC
    Event Category: None
    Event ID: 20
    Date:  2012-1-6
    Time:  16:53:02
    User:  N/A
    Computer: DC1
    Description:
    The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 14 00 00 00 13 20 09 80   ..... .?
    0008: 00 00 00 00 00 00 00 00   ........

    我检查了站点与服务中的Public Key Services下AIA,CA计算机具有写入权限ping域控的FQDN也可以ping通,我手动通过 Revoked Certificates进行Publish, 提示错误: CertUtil: -CRL command FAILED: 0x8007208d (WIN32: 8333) CertUtil: Directory object not found.

    在DC上使用certutil -dcinfo命令查看,结果如下:

    0: DC1
    1: DC2A

    *** Testing DC[0]: DC1
    ** Enterprise Root Certificates for DC DC1
    Certificate 0:
    Serial Number: 0c7f5ad1f88635aa4d909b53305b0b65
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V1.1
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): bd d8 fa f6 ed d0 63 9e 6b 22 97 81 61 c3 31 43 2c 78 3a 8e

    Certificate 1:
    Serial Number: 0f9b29493c8d9cb14d686b170c4d804b
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V2.2
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 8f 79 e1 3c 59 5f db c5 47 bf f5 2b 58 b5 6a 26 9b db 8b 65

    Certificate 2:
    Serial Number: 3e49615131bc1dbd4bcb0b6653d9ce70
    Issuer: CN=mailserver, DC=DG, DC=com, DC=local
    Subject: CN=mailserver, DC=DG, DC=com, DC=local
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 55 52 58 4f 5b 4e 09 f1 b2 78 9a 79 b7 29 3b 9d 1f 52 14 ac

    Certificate 3:
    Serial Number: 62302a25d8165e9649ff77d47a3f5aee
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 44 b8 af bb 33 e9 c8 86 01 53 86 b4 8a a5 76 5c 66 cc 37 b0

    Certificate 4:
    Serial Number: 0df345c18cb89f9f47c8e204cc73557c
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V3.3
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 17 b8 e9 57 6f 4c 74 89 a2 ed 3f be ac 42 74 f5 ab a1 13 6f

    ** KDC Certificates for DC DC1
    Certificate 0:
    Serial Number: 46dbf58f0003000007fc
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=dc1.dg.com.local
    Certificate Template Name: DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Cert Hash(sha1): 84 c5 f5 9a 4e 86 da 6e f6 8e 29 9d 81 d6 3f 8b b5 46 0a 01

    1 KDC certs for DC1

    *** Testing DC[1]: DC2
    ** Enterprise Root Certificates for DC SG-TXG-DC2A
    Certificate 0:
    Serial Number: 0c7f5ad1f88635aa4d909b53305b0b65
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V1.1
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): bd d8 fa f6 ed d0 63 9e 6b 22 97 81 61 c3 31 43 2c 78 3a 8e

    Certificate 1:
    Serial Number: 0f9b29493c8d9cb14d686b170c4d804b
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V2.2
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 8f 79 e1 3c 59 5f db c5 47 bf f5 2b 58 b5 6a 26 9b db 8b 65

    Certificate 2:
    Serial Number: 3e49615131bc1dbd4bcb0b6653d9ce70
    Issuer: CN=mailserver, DC=DG, DC=com, DC=local
    Subject: CN=mailserver, DC=DG, DC=com, DC=local
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 55 52 58 4f 5b 4e 09 f1 b2 78 9a 79 b7 29 3b 9d 1f 52 14 ac

    Certificate 3:
    Serial Number: 62302a25d8165e9649ff77d47a3f5aee
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 44 b8 af bb 33 e9 c8 86 01 53 86 b4 8a a5 76 5c 66 cc 37 b0

    Certificate 4:
    Serial Number: 0df345c18cb89f9f47c8e204cc73557c
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=MailServer, DC=DG, DC=com, DC=local
    Certificate Template Name: CA
    CA Version: V3.3
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 17 b8 e9 57 6f 4c 74 89 a2 ed 3f be ac 42 74 f5 ab a1 13 6f

    ** KDC Certificates for DC DC2
    Certificate 0:
    Serial Number: 4786ebfa0003000007fd
    Issuer: CN=MailServer, DC=DG, DC=com, DC=local
    Subject: CN=dc2.com.local
    Certificate Template Name: DomainController
    Non-root Certificate
    Template: DomainController, Domain Controller
    Cert Hash(sha1): 3d 3d d1 36 70 64 ac 3f 86 cf 5c 03 d1 ef c0 9a 60 ce 2d 78

    1 KDC certs for DC2

    CertUtil: -DCInfo command completed successfully.

    2012年1月17日 7:28

答案

  • 您好! 

     

    根据您提供的信息来看,您遇到的问题与以下KB中的描述非常类似,我们建议您先根据以下KB中的步骤排错:

     

    Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD

    http://support.microsoft.com/kb/839880/en-US

     

    希望我的回答对您有所帮助。


    如果您对我们的论坛在线支持服务有任何的意见或建议,请通过邮件告诉我们。
    Description: Description: TechNet 论坛好帮手立刻免费下载  TechNet 论坛好帮手

    2012年1月18日 9:15
    版主
  • 您好!

    如果您的问题依然存在的话,我们建议您根据以下文章中的步骤排错,您提到的错误与以下文章中的描述非常类似:

     

    Event ID 20 KDC Certificate Availability

    http://technet.microsoft.com/zh-cn/library/cc733985(en-us,WS.10).aspx

    希望我的回答对您有所帮助,如果您还有什么问题,请您再和我们联系。


    如果您对我们的论坛在线支持服务有任何的意见或建议,请通过邮件告诉我们。
    Description: Description: TechNet 论坛好帮手立刻免费下载  TechNet 论坛好帮手

    2012年2月3日 1:28
    版主

全部回复

  • 您好! 

     

    根据您提供的信息来看,您遇到的问题与以下KB中的描述非常类似,我们建议您先根据以下KB中的步骤排错:

     

    Troubleshooting RPC Endpoint Mapper errors using the Windows Server 2003 Support Tools from the product CD

    http://support.microsoft.com/kb/839880/en-US

     

    希望我的回答对您有所帮助。


    如果您对我们的论坛在线支持服务有任何的意见或建议,请通过邮件告诉我们。
    Description: Description: TechNet 论坛好帮手立刻免费下载  TechNet 论坛好帮手

    2012年1月18日 9:15
    版主
  • 版主,您有没有给错地址啊,我通篇看先来跟我的问题没有关系啊,我的是CA及KDC的问题,您给出的KB说得是RPC啊。不过我依然按照步骤进行了测试,都是Passed的。 只有netdiag测试Modem diagnostics test failed ,这个是没有关系的,因为确实没有。 不好意思,麻烦再帮我看看,谢谢。
    2012年1月22日 7:00
  • 您好!

    如果您的问题依然存在的话,我们建议您根据以下文章中的步骤排错,您提到的错误与以下文章中的描述非常类似:

     

    Event ID 20 KDC Certificate Availability

    http://technet.microsoft.com/zh-cn/library/cc733985(en-us,WS.10).aspx

    希望我的回答对您有所帮助,如果您还有什么问题,请您再和我们联系。


    如果您对我们的论坛在线支持服务有任何的意见或建议,请通过邮件告诉我们。
    Description: Description: TechNet 论坛好帮手立刻免费下载  TechNet 论坛好帮手

    2012年2月3日 1:28
    版主