Employment & Networking Need a job? Looking to hire someone? Post it here. |
|
Thread Tools | Display Modes |
#1
|
||||
|
||||
Can Someone Help with Certificates? (Windows Server Essentials 2012 R2)
Not really an employee option per say, but I need help troubleshooting a certificate issue in Essentials 2012 R2. Since about 6 months ago I have not been able to get desktops with replaced/ cloned HDDs to work via Anywhere Access. Basically in the Devices part of the Dashboard they show up as "Offline". Computers that have been operation since before that time show up fine (i.e., "Online") and be access remotely.
I have run the Anywhere Access Repair Wizard and disconnected/ reconnected the desktops, but that has not helped. In one instance the desktop showed up as Online, and I was able to assign it to a User for remote access, but it reverted to "Offline" a short time later. Going through the certificate manager on the Server I can see multiple instances of certificates getting revoked, but there is no reason indicated. Also, there are a lot of certificates on the server, including a handful that appear to be related to remote access, so I am not sure how to determine which particular certificate a desktop should be receiving (my desktop is one that can be access remotely; I looked in the certmgr and there are three certificates there that all *could* be the correct one; I do not know if they are all needed or if only one gets accessed/ used). If anyone can help me resolve this, or point me to a person who may know, I would appreciate it. We are fine paying a consultant, I just can't find anyone. It is becoming critical due to employees wanting the option to work from home due to the virus. EDIT: The HDDs were cloned (not all at the same time) from good HDDs taken from other workstations. The cloning was by a cloning machine, vs software, and Sysprep was not used (earlier clones were all done with software, so when I go the duplicator I was not familiar with Systprep).
__________________
David D. '87 Targa - 2021 quickly disappearing... Last edited by BlackTalon; 03-16-2020 at 03:50 PM. |
#2
|
||||
|
||||
Not familar with Anywhere Access, but maybe a step in the right direction: You can compare the certificate that works on your desktop with the server to determine which is a working certificate. From certmgr on both machines, open the certificate, navigate to details, scroll the end for Thumbprint - that's a unique identifier for that certificate.
__________________
Kirk J. 78 911 SC euro spec 05 Audi S4 01 Audi A6 - gone... Things are made of stuff -Bill Nye |
#3
|
||||
|
||||
Quote:
__________________
David D. '87 Targa - 2021 quickly disappearing... |
#4
|
|||
|
|||
Instinct tells me there is something going on in the root certificate authority for the affected machines. As a troubleshooting method, perhaps do something as rudimentary as removing and re-adding the certificate authority for the certs in question on one of the unhappy machines?
I'm sure you know this...cloning HDDs causes its own pain in Windows. Can I assume some kind of SID walker was used after the clone to create a unique SID?
__________________
Tom Freeman '21 Q5 PHEV (DD, dog hauler) | '22 GR Supra (OLOA) | '93 Mustang GT (Crapcan) | '16 BMW R1200RT (Cop bike) |
#5
|
||||
|
||||
Tom, I wish I could say 'yes' to what you are sure I know. Previous HDD cloning had been done with Clonezilla and never had an issue, but going to an external 2-dock bay with cloning capabilities was much easier. The machines were all renamed, although they were done at varying times and I do not remember is any were initially logged onto the domain before renaming. Thanks to Ken H I did some reading on sysprep and SIDs earlier today (after my iniitial post) and there seemed to be a lot of info indicating the SID was internal-only and was not the one the Domain uses -- but I don't know if that is true for all facets of the connection (i.e., the machines show up fine in AD and have access to all shared folders, printers, etc.).
On a typical desktop there are 3-4 certificated issued by the server/ CA. Are you indicating I should delete those certificates? What is the process? Delete in certmgr, reboot the machine and log back on to the Domain? Or when rebooted will it come up no longer connected, and I will need to rerun the Connector? These are all desktops our engineers are suing so I need to be careful not to screw up a machine and take someone out of service tomorrow. I appreciate your help!
__________________
David D. '87 Targa - 2021 quickly disappearing... |
#6
|
||||
|
||||
The SIDs are internal to the clone. The Domain ID is created when a new system is added to the domain but that's in part based on the SID. So when a conflict happens when a duplicate is found. The more I think about this, the less I suspect the cloning process, but good luck. I don't think you're using AD, are you?
Essentials 2012 is just that. You might need some sort of add-on capability if Essentials allows for it. gl hf
__________________
Ken '03 - boxster - Joy Toy -rolling convertible action -de-ambered -Boxster Brey-Krause Roll Bar '05 - 955s Gold - My Other / On Road / Off Road -coolant pipe by pass 08/11 -heart & short soul block replaced @50k 01/12 -cardan shafted & replaced @125k 09/16 Quote:
|
#7
|
||||
|
||||
AD is running on the Server. I can get more info from that than from the Essentials Dashboard.
Someone has provided me with some info on things to try in the MMC. One big thing was the certs I had been looking at were for the User, and not the Machine. Once I logged on to a workstation as administrator and got back into the MMC and got into the Local Machine lists I saw different certs. There is one there under Remote Access , but it indicates it must be in the Trusted certs subfolder to work; I tried cutting and pasting to that folder but it didn't work. I was going to try exporting and importing, but it said the key could not be exports which seemed like a deal killer. I'm going back to the office later tonight, and will delete that cert and try reconnecting the machine and see what happens when it generates a new one. I also went through some steps to generate a new cert, but the procedure that someone sent me had some steps that did not seem possible (the options I was supposed to pick were not present). Anyway, I feel like I am in the ballpark, but am missing a couple of small pieces of info.
__________________
David D. '87 Targa - 2021 quickly disappearing... |
#8
|
||||
|
||||
Did you use the certreq.exe tool?
this link also shows a few steps that might help. Not 100% what you are looking but seems to overlap. https://www.altaro.com/hyper-v/view-...-certificates/
__________________
78 SC, the 'Red Car' |
#9
|
||||
|
||||
Thanks. I'll see if that tool runs on a workstation, since I seem to be unable to locate a Certificate Authority snap-in on the desktop, which brought things to a halt for me earlier tonight.
Long and short of it is I believe there are local machine certificates that may need to be deleted, and new ones generates. But unfortunately i do not fully know which ones
__________________
David D. '87 Targa - 2021 quickly disappearing... |
#10
|
||||
|
||||
David, have you tried to uninstall the "Windows Server 2012 essentials connector" from the new workstation and reinstall?
__________________
Dudley Aldie, VA 99 996 C4 Black/Black Areo 86 951 Graphite / Burgundy 2002 BMW 530i 2008 Volvo XC90 1995 Chev Astro (workhorse going-bald) My Garage Build |
Thread Tools | |
Display Modes | |
|
|