Hello again!
Recently I had a dialog with Mark B. Cooper when he reported a weird issue with Install-ADCSCertificationAuthority cmdlet. To repro this issue, prepare a new server without any network adapter (even without a loopback adapter) and run Install-AdcsCertificationAuthority cmdlet without parameters (implies default settings) and you will get:
PS C:\Users\Administrator> Install-AdcsCertificationAuthority
Confirm
Are you sure you want to perform this action?
Performing the operation "Install-AdcsCertificationAuthority" on target "WIN-F6MCGE586LQ".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: The
network location cannot be reached. For information about network troubleshooting, see Windows Help. 0x800704cf
(WIN32: 1231 ERROR_NETWORK_UNREACHABLE)
At line:1 char:1
+ Install-AdcsCertificationAuthority
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupE
xception
+ FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertificationAut
hority
PS C:\Users\Administrator>
Installation succeeds without error when using Server Manager UI.
I already experienced this issue in Windows Server 2008 R2 era when developed my own Install-CertificationAuthority command. When I opened a certocm.log file, I found the following entries in the file:
114.883.949: <2015/2/24, 10:01:21>: End: CCertSrvSetup::InitializeDefaults 114.3137.948: <2015/2/24, 10:01:21>: Begin: CCertSrvSetup::SetCASetupProperty 114.3226.949: <2015/2/24, 10:01:21>: End: CCertSrvSetup::SetCASetupProperty 114.5737.948: <2015/2/24, 10:01:24>: Begin: CCertSrvSetup::Install 119.1617.0:<2015/2/24, 10:01:25>: 0x800704cf (WIN32: 1231 ERROR_NETWORK_UNREACHABLE): \\WIN-F6MCGE586LQ\CertConfig\write.tmp
due to unknown to me reasons, CA installation code (implemented in a ICertSrvSetup COM interface) attempts to write file locally via UNC path. Without having network adapter, it is hard to do and the command fails.
I found that this issue is somehow related to either shared folder (which is deprecated, but internal code wasn’t removed) or CA database location. Eventually, I found a workaround: you need to override (even if with default values0 either, CA database or database log location folder:
Install-ADCSCertificationAuthority
and the problem will go away.
Even though, Microsoft is aware about this issue, I don’t think this will be fixed.
Post your comment:
Comments: