Several days ago I have worked on one interesting issue:
Enterprise CA running on a Hyper-V virtual machine. Due of maintenance plans host server was rebooted. In the next day users were unable to logon to their workstations by using smart cards due of the error: A revocation check could not be performed for the certificate. Password users were unable to connect to terminal servers by using RDP-TLS protocol due of the same error.
What's going wrong? There was no changes in MS CA virtual machine. When I connected to to the server I noticed that CRL renewal was scheduled to the time when Hyper-V host was down (pure coincidence). As you need to know, when Hyper-V server goes down (shutdown/restart) it freezes (sends virtual machine to "sleep" state) virtual machines. And when server come back it restores virtual machine from freeze state. During this time virtual machines cannot perform any scheduled task. Talking about my issue, the server missed CRL renewal time and didn't tried to renew it after a time (about 10 hours went between server reboot and error occurrences). The issue can be resolved after:
After several tests I have noticed another similar issue. If CA Exchange expires when Hyper-V host is down key archival will stop working, because there are no valid CA Exchange certificates and CA server don't attempt to renew it until the following:
Actually this is internal MS CA issue, not hypervisor issue. After a little research I choose the following workaround for Hyper-V:
when you apply these changes, when host goes down (shutdown/reboot) Enterprise CA virtual machines will shutdown too. And when physical server starts, these virtual machines starts too.
HTH.
Post your comment:
Comments: