Is there a way to fix these broken certificates? In the link http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/14237324-5813-40f0-9f81-b2bd802d0da3 there are various mentions to things like CRL... very techy stuff. In my case, which is similar, I am looking for an answer that is in English. Symptoms are - when a certificate is imported or exported anywhere in my domain (go daddy for remote.myserver.com), it crashes the 2008 sbs server. Then when it comes back up, the certificate services won't start. Also, there is an indicator that the belkin router is missing a port entry (I have all recommended by 3389 and 80) includes 25, 443, 1723, some others... Fix my network says it fixes the Certificate Authority stoped error but when services are checked it is not started. The way I fixed the certificate error before was to reinstall SBS but at this point, that is overkill. Is there a way to fix these broken certificates?

can you provide exact related error messages from eventlog?http://en-us.sysadmins.lv

At a different computer - will try to get to the RDC meanwhile, there were a couple... one was DCOM - says exchange can't find the certificate the contains the domain name remote.myserver.com in the personal store on the local computer... meaning it cant support internet send with an FQDN. If the cert exists run enable excahge certificate services smtp. Another tidbit: I could not install the Belkin software for the router on SBS so to get it started, I installed it on a laptop. Once it was going, the SBS server took over. The laptop was getting annoying messages from the belkin tool so I uninstalled it from the laptop. There is a second error that says somthing about the update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again Context application 'search', catalog 'index file on the search server Search' And active directory certificate services did not start. Could not load or verity the currt ca certificate mserver-myservername-CA keyset does not exist 0x80090016 On the Belkin router I read that 3389 does not need to be enabled so I disabled that... possibly another source of error because when I reenabled it the last error went away (about the CA-keyset) Which was my question but now there are other problems possibly chained to this first one. At this time, the Web Server Certificate no longer shows as entered in the console. Fix my Network does not fix it so it looks like my godaddy network certificate is gone. Checking the Cert MMC shows it exists in both the personal of the computer and in the current user list. Console personal also houses godaddy, the domain CA and the machine CA. There is also one that was not with 2003 called WMSvc-WIN-xxxxxxxxxxx Trusted houses two of the domain CA's (they look the same), and these two are also in the intermediates along with the Godaddy class 2 cert. The GoDaddy class2 is also in the 3rd party trusted root. There is an RDC specific certificate in the Remote Desktop config. I notice that this seems to show up on most of the machines. The virtuals do not have these. And the error that occurs when I try to add an existing cert is: Problem signature: Problem Event Name: CLR20r3 Problem Signature 01: trustedcert.exe Problem Signature 02: 6.0.5601.8524 Problem Signature 03: 4bb3c4d6 Problem Signature 04: mscorlib Problem Signature 05: 2.0.0.0 Problem Signature 06: 4bf4c227 Problem Signature 07: 20c7 Problem Signature 08: 143 Problem Signature 09: N3CTRYE2KN3C34SGL4ZQYRBFTE4M13NB OS Version: 6.0.6002.2.2.0.305.9 Locale ID: 1033

At a different computer - will try to get to the RDC meanwhile, there were a couple... one was DCOM - says exchange can't find the certificate the contains the domain name remote.myserver.com in the personal store on the local computer... meaning it cant support internet send with an FQDN. If the cert exists run enable excahge certificate services smtp. Another tidbit: I could not install the Belkin software for the router on SBS so to get it started, I installed it on a laptop. Once it was going, the SBS server took over. The laptop was getting annoying messages from the belkin tool so I uninstalled it from the laptop. There is a second error that says somthing about the update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again Context application 'search', catalog 'index file on the search server Search' And active directory certificate services did not start. Could not load or verity the currt ca certificate mserver-myservername-CA keyset does not exist 0x80090016 On the Belkin router I read that 3389 does not need to be enabled so I disabled that... possibly another source of error because when I reenabled it the last error went away (about the CA-keyset) Which was my question but now there are other problems possibly chained to this first one. At this time, the Web Server Certificate no longer shows as entered in the console. Fix my Network does not fix it so it looks like my godaddy network certificate is gone. Checking the Cert MMC shows it exists in both the personal of the computer and in the current user list. Console personal also houses godaddy, the domain CA and the machine CA. There is also one that was not with 2003 called WMSvc-WIN-xxxxxxxxxxx Trusted houses two of the domain CA's (they look the same), and these two are also in the intermediates along with the Godaddy class 2 cert. The GoDaddy class2 is also in the 3rd party trusted root. There is an RDC specific certificate in the Remote Desktop config. I notice that this seems to show up on most of the machines. The virtuals do not have these.

Belkin error is: EventID 1000 Faulting application BelkinSetup.exe, version 4.0.2.16420, time stamp 0x4b8d8d1d, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0x80000001, fault offset 0x0385ad0a, process id 0x1888, application start time 0x01cb9ec81a51af52. AD error is: EVENT ID 100 Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. mydomain-MYRDC-CA Keyset does not exist 0x80090016 (-2146893802). The CERT error is: EventID 12014 Microsoft Exchange couldn't find a certificate that contains the domain name remote.mydomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Send MYSERVERNAME with a FQDN parameter of remote.mydomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key. While not entirely certain, it looks like a company called TrollTech was causing the errors as the GUID for that registry entry mached the DCOM guid error. EventID 2024 The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again. Context: Application 'Search', Catalog 'index file on the search server Search' It is not possible to install Belkin software on the server without the process failing

Possibly one other item. I found my CA in the revoked list and removed it as it seems difficult to understand why the system would revoke its own certificate. I started thinking about the removal and it occurs to me that if a certificate is reissued then the revocation will help the machine to differentiate between the new and old certificates. If I have done wrong by removing the revoked certificates, is there a way to fix this as well. I truly do not want to backup everything and then reinstall the SBS 2008 because the certificate has stopped working.

On Sat, 18 Dec 2010 19:07:34 +0000, Crakdkorn wrote: Possibly one other item.? I found my CA in the revoked list and removed it as it seems difficult to understand why the system would revoke its own certificate.?? I started thinking about the removal and it occurs to me that if a certificate is reissued then the revocation will help the machine to differentiate between the new and old certificates.?? If I have done wrong by removing the revoked certificates, is there a way to fix this as well. I truly do not want to backup everything and then reinstall the SBS 2008 because the certificate has stopped working. Due to the fact that you're using SBS and that SBS has its own tools and procedures that aren't used by "normal" Windows Servers, I'd strongly suggest that you move this whole discussion (repost your issues) in one of the SBS specific forums. There are a lot of ways one can break SBS by using tools that would be used on a normal Windows Server. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

can you clarify, how you noticed that certificate is revoked and how you removed it from revoked certificates?http://en-us.sysadmins.lv

Using the MMC, under revoked certificates under Intermediate Certificate Authorities... Certification Revocation List

Well worst case, it gets easier to add and remove computers when they are virtual... it boils down to snapshots, the RDC and then adding the HyperV back to the domain once the RDC is installed with SBS 2008. Truthfully, I have far less luck with SBS forums. Their parameters are too bound with rules that have no exceptions. It's easier just to reinstall. Would be nice to understand this better though... save me the time. I think the bigger part of the problem was removing the Belkin installation program from the laptop which although it did not have access to the router, it definitely seems now like the install on the laptop was keeping the router happy. With SBS 2003, the web certificate was recoverable. I fear now it is less likely I will win this one so for practical purposes, I believe I am going to route of reinstalling SBS. urgh. Maybe this time around, the server will make better use of the Belkin resource.

The workaround for SBS 2008 "Manually Install Certificate..." http://blogs.technet.com/b/sbs/archive/2009/12/14/how-to-manually-install-certificates-in-sbs-2008.aspx helped a bit. Because the Belkin Router installed on the laptop, after adding the 987 port to the Belkin router, instead of the setting I put in with the IP of the RDC it reset to the IP of the laptop. When I corrected that and manually entered the bindings through IIS for the remote.myserver.com, the Component ID #4 appeared. The Go link ... go.microsoft.com/fwlink/?LinkID=120178 says to keep trying to install with the "Fix My Network" The real problem here is that the "Choose an installed certificate" no longer works. When that wizard runs it crashes. ------------------------------------------------------------------------------ The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D99E6E73-FC88-11D0-B498-00A0C90312F3} (registry ref to the certsvr admin) to the user MYServer\serveradminst SID (S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. ------------------------------------------------------------------------------- Now I wonder if the issue isn't that the server itself cannot access the Belkin router. There is no method to save the password to open the router so it is not possible for SBS to change settings other than through a manual process (Enter the password and change the physical settings and save)

The workaround for SBS 2008 "Manually Install Certificate..." http://blogs.technet.com/b/sbs/archive/2009/12/14/how-to-manually-install-certificates-in-sbs-2008.aspx helped a bit. Because the Belkin Router installed on the laptop, after adding the 987 port to the Belkin router, instead of the setting I put in with the IP of the RDC it reset to the IP of the laptop. When I corrected that and manually entered the bindings through IIS for the remote.myserver.com, the Component ID #4 appeared. The Go link ... go.microsoft.com/fwlink/?LinkID=120178 says to keep trying to install with the "Fix My Network" The real problem here is that the "Choose an installed certificate" no longer works. When that wizard runs it crashes. ------------------------------------------------------------------------------ The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D99E6E73-FC88-11D0-B498-00A0C90312F3} (registry ref to the certsvr admin) to the user MYServer\serveradminst SID (S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. ------------------------------------------------------------------------------- Now I wonder if the issue isn't that the server itself cannot access the Belkin router. There is no method to save the password to open the router so it is not possible for SBS to change settings other than through a manual process (Enter the password and change the physical settings and save) One item I did notice has to do with permissions for the admin for the clsid... I did modify but it seems to do no good. I don't have permission to restart dcomcnfg even as the admin on the RDC nor do I have permission to run adsiedit.msc. What's going on here?