Sysadmins LV
Vadims Podāns
Vadims Podāns
  • I work at
PKI Solutions
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool
  • Home
  • Main blog
  • Install-ADCSCertificationAuthority issue when installing an offline certification authority

Install-ADCSCertificationAuthority issue when installing an offline certification authority

Hello again!

The problem

Recently I had a dialog with Mark B. Cooper when he reported a weird issue with Install-ADCSCertificationAuthority cmdlet. To repro this issue, prepare a new server without any network adapter (even without a loopback adapter) and run Install-AdcsCertificationAuthority cmdlet without parameters (implies default settings) and you will get:

PS C:\Users\Administrator> Install-AdcsCertificationAuthority

Confirm
Are you sure you want to perform this action?
Performing the operation "Install-AdcsCertificationAuthority" on target "WIN-F6MCGE586LQ".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error:  The
network location cannot be reached. For information about network troubleshooting, see Windows Help. 0x800704cf
(WIN32: 1231 ERROR_NETWORK_UNREACHABLE)
At line:1 char:1
+ Install-AdcsCertificationAuthority
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupE
   xception
    + FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertificationAut
   hority

PS C:\Users\Administrator>

Installation succeeds without error when using Server Manager UI.

The talk

I already experienced this issue in Windows Server 2008 R2 era when developed my own Install-CertificationAuthority command. When I opened a certocm.log file, I found the following entries in the file:

114.883.949: <2015/2/24, 10:01:21>: End: CCertSrvSetup::InitializeDefaults 
114.3137.948: <2015/2/24, 10:01:21>: Begin: CCertSrvSetup::SetCASetupProperty 
114.3226.949: <2015/2/24, 10:01:21>: End: CCertSrvSetup::SetCASetupProperty 
114.5737.948: <2015/2/24, 10:01:24>: Begin: CCertSrvSetup::Install 
119.1617.0:<2015/2/24, 10:01:25>: 0x800704cf (WIN32: 1231 ERROR_NETWORK_UNREACHABLE): \\WIN-F6MCGE586LQ\CertConfig\write.tmp

due to unknown to me reasons, CA installation code (implemented in a ICertSrvSetup COM interface) attempts to write file locally via UNC path. Without having network adapter, it is hard to do and the command fails.

Workaround

I found that this issue is somehow related to either shared folder (which is deprecated, but internal code wasn’t removed) or CA database location. Eventually, I found a workaround: you need to override (even if with default values0 either, CA database or database log location folder:

Install-ADCSCertificationAuthority –DatabaseDirectory $(Join-Path $env:SystemRoot "System32\CertLog")

and the problem will go away.

Even though, Microsoft is aware about this issue, I don’t think this will be fixed.

Share this article:

Comments:

Post your comment:

Please, solve this little equation and enter result below. Captcha