Sysadmins LV
Vadims Podāns
Vadims Podāns
  • I work at
PKI Solutions
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool

MS Certificate Services virtualization issues

Several days ago I have worked on one interesting issue:

Enterprise CA running on a Hyper-V virtual machine. Due of maintenance plans host server was rebooted. In the next day users were unable to logon to their workstations by using smart cards due of the error: A revocation check could not be performed for the certificate. Password users were unable to connect to terminal servers by using RDP-TLS protocol due of the same error.

What's going wrong? There was no changes in MS CA virtual machine. When I connected to to the server I noticed that CRL renewal was scheduled to the time when Hyper-V host was down (pure coincidence). As you need to know, when Hyper-V server goes down (shutdown/restart) it freezes (sends virtual machine to "sleep" state) virtual machines. And when server come back it restores virtual machine from freeze state. During this time virtual machines cannot perform any scheduled task. Talking about my issue, the server missed CRL renewal time and didn't tried to renew it after a time (about 10 hours went between server reboot and error occurrences). The issue can be resolved after:

  • you manually re-publish CRLs from CertSrv.msc MMC snap-in or running 'certutil –CRL' command;
  • manually restart certsvc service or virtual machine.

After several tests I have noticed another similar issue. If CA Exchange expires when Hyper-V host is down key archival will stop working, because there are no valid CA Exchange certificates and CA server don't attempt to renew it until the following:

  • you type 'certutil –cainfo xchg';
  • run PKIView.msc MMC snap-in;
  • manually restart certsvc service.

Actually this is internal MS CA issue, not hypervisor issue. After a little research I choose the following workaround for Hyper-V:

  1. Open Hyper-V management MMC snap-in;
  2. Locate virtual machine that runs Enterprise CA role and click Settings;
  3. Scroll down to Management node and expand it;
  4. Set Automatic start action to Always start;
  5. Set Automatic stop action to Shutdown;
  6. Save settings and repeat these steps for all virtual machines that runs Enterprise CA role.

when you apply these changes, when host goes down (shutdown/reboot) Enterprise CA virtual machines will shutdown too. And when physical server starts, these virtual machines starts too.

HTH.

Share this article:

Comments:

Post your comment:

Please, solve this little equation and enter result below. Captcha