Event ID 48 — AD RMS Logging service availability

Event ID 48 — AD RMS Logging service availability

Updated: November 10, 2008

Applies To: Windows Server 2008

Active Directory Rights Management Services (AD RMS) uses Message Queuing on each server in the AD RMS cluster to send information to the logging database. This information is used to compile reports and assess how your AD RMS installation is performing.

Event Details

Product: Windows Operating System
ID: 48
Source: Active Directory Rights Management Services
Version: 6.0
Symbolic Name: MessageQueueSendFailedEvent
Message: Active Directory Rights Management Services (AD RMS) logging information could not be logged to the local message queue. Verify that the Message Queuing service is running and that the AD RMS service account has permission to write to the queue.Parameter ReferenceContext: %1RequestId: %2%3%4

Resolve
Check AD RMS logging database availability

When the AD RMS Web services log information to the AD RMS logging database, it stores the message in a message queue. The AD RMS message queue delivers the message to the AD RMS logging database. If AD RMS is not logging messages to the logging database, you should ensure that the AD RMS logging database is available on the network, ensure that both the AD RMS logging and Message Queuing services are started, and that the AD RMS service account has the appropriate rights to the AD RMS logging database. Finally, if the logging database is still not available, you grant permissions to the AD RMS Service Group on the AD RMS message queue.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

Check AD RMS logging database network connectivity

To check AD RMS logging database network connectivity:

  1. Log on to the AD RMS logging database server.
  2. At a command prompt on the AD RMS logging database server, type ipconfig /all. Make sure that the AD RMS logging database server has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
  3. At a command prompt on the AD RMS logging database server, type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
  4. At a command prompt on the AD RMS logging database server, type ping ip_address where ip_address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
  5. At a command prompt on the AD RMS logging database server, type ping dns_server where dns_server is the IP address for the DNS server. If there are more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or the network in between the AD RMS logging database server and the DNS servers.

Check that the AD RMS logging service is started

To check that the AD RMS logging service is started:

  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the results pane, double-click AD RMS Logging Service.
  3. Under Service status, make sure that the status is Started.  If the status is not Started, click Start.
  4. Make sure Startup type is set to Automatic.
  5. Click OK.

Check that the Message Queuing service is started

To check that the Message Queuing service is started:

  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the results pane, double-click Message Queuing.
  3. Under Service status, make sure that the status is started.  If it is not started, click Start.
  4. Make sure Startup type is set to Automatic.
  5. Click OK.

Make sure the AD RMS service account has access to the AD RMS logging database

To make sure the AD RMS service account has access to the AD RMS logging database:

  1. Log on to the AD RMS logging database server.
  2. Click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  3. In the Server name box, type the name of the AD RMS logging database server, and then click Connect.
  4. Expand Databases.
  5. Expand the AD RMS logging database. By default, the name of this database is DRMS_Logging_clustername_portnumber, where clustername is the name of the AD RMS cluster and portnumber is the TCP port on which AD RMS communicates.
  6. Expand Security, and then expand Users.
  7. Make sure that the AD RMS service account is a user in the database.
  8. Right-click the AD RMS service account database user account, and then click Properties.
  9. Select the rms_service check box under Database role membership, and then click OK.

Add the AD RMS Service Group to the AD RMS message queue

To add the AD RMS service group to the AD RMS message queue:

  1. Click Start, point to Administrative Tools, and then click Server Manager.
  2. Expand Features, expand Message Queuing, and then expand Private Queues.
  3. Right-click drms_logging_clustername_portnumber, where clustername is the name of the AD RMS cluster and portnumber is the TCP port by which AD RMS clients communicate and then click Properties.
  4. Click the Security tab.
  5. Click Add.
  6. In the Select Users or Groups dialog box, type server_name\AD RMS Service Group, where server_name is the name of the local AD RMS server, and then click OK.
  7. Select the Full Control check box in the Allow column, and then click OK.

Check AD RMS logging database server performance

If the AD RMS logging database server is exhibiting signs of deadlock, ensure that the logging database server is performing acceptably and that it is not overloaded. If necessary, archive logging data that is out of date, or consider upgrading the logging database server hardware.

Verify

To perform this procedure, you must be a member of the System Administrators database role, or you must have been delegated the appropriate authority.

To verify that the AD RMS logging database is working correctly:

  1. Log on to the AD RMS logging database server.
  2. Click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  3. In the Server name box, type the name of the AD RMS logging database server, and then click Connect.
  4. Expand Databases, and then click the AD RMS configuration database. By default, the name of this database is DRMS_Logging_clustername_portnumber, where clustername is the name of the AD RMS cluster and portnumber is the TCP port in which the AD RMS Web services listens for requests.
  5. Click New Query.
  6. Type select * from drms_clusterpolicies, and then click Execute.

Related Management Information

AD RMS Logging service availability

Active Directory Rights Management Services

Related:

Event ID 44 — Terminal Services License Server Database Availability

Event ID 44 — Terminal Services License Server Database Availability

Updated: January 5, 2012

Applies To: Windows Server 2008

When the Terminal Services Licensing (TS Licensing) role service is installed, a database is created in which to hold information about the Terminal Services client access licenses (TS CALs) that are installed onto the license server.

The location of the TS Licensing database can specified during the TS Licensing role service installation. The database location must be a local folder on the computer on which the TS Licensing role service is being installed. By default, the TS Licensing database is located in the %systemroot%\system32\lserver folder. You can confirm the location of the TS Licensing database by using Review Configuration in the TS Licensing Manager tool.

Event Details

Product: Windows Operating System
ID: 44
Source: Microsoft-Windows-TerminalServices-Licensing
Version: 6.0
Symbolic Name: TLS_E_DBGENERAL
Message: The following general database error has occurred: “%1!s!”

Resolve
Check database folder permissions and reinstall the TS CALs

To resolve this issue, do the following:

  • Assign the appropriate permissions to the TS Licensing database folder on the Terminal Services license server.
  • Reinstall the Terminal Services client access licenses (TS CALs) onto the license server.

If the issue persists after assigning the appropriate permissions and reinstalling the TS CALs, rebuild the TS Licensing database on the license server.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Locate the TS Licensing database

By default, the TS Licensing database is located in the %systemroot%\system32\lserver folder (where %systemroot% is the folder in which the operating system is installed, which is, by default, c:\windows).

To confirm the location of the TS Licensing database:

  1. On the license server, open TS Licensing Manager. To open TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click All Servers, click the name of the license server, and then on the Action menu, click Review Configuration.
  4. The database location is listed at the top of the Configuration dialog box.

Assign permissions to the TS Licensing database folder

To assign permissions to the database folder:

  1. On the license sever, use Windows Explorer to navigate to the folder containing the TS Licensing database.
  2. Right-click the folder, and then click Properties.
  3. On the Security tab, click Advanced.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. Click either Add or Edit to change the permissions. SYSTEM, NETWORK SERVICE, Administrators, and TermServLicensing should each have Full Control permissions and those permissions must apply to This folder, subfolders and files.

    Note:  To add TermServLicensing, ensure that the computer name is listed in From this location, and then in the Enter the object name to select box, type NT Service\TermServLicensing.

  6. When you are finished assigning the correct permissions, click OK.

Reinstall the TS CALs onto the license server

Note:  The automatic TS CAL installation method requires Internet connectivity from the computer running the TS Licensing Manager tool. Internet connectivity is not required from the license server itself. This method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse. You can also install TS CALs onto the license server by using a Web browser or by using the telephone. For more information about these installation methods, see “Install Terminal Services Client Access Licenses” in the TS Licensing Manager Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=101643).

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To reinstall the TS CALs:

  1. On the license server, open TS Licensing Manager. To open TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Ensure that the connection method for the license server is set to Automatic connection (recommended) by right-clicking the license server on which you want to install TS CALs, and then clicking Properties. On the Connection Method tab, change the connection method if necessary, and then click OK.
  4. Right-click the license server on which you want to install the TS CALs, and then click Install Licenses. The Install Licenses Wizard starts.
  5. Click Next.
  6. On the License Program page, select the appropriate program through which you purchased your TS CALs, and then click Next.
  7. The License Program that you selected on the previous page in the wizard will determine what information you will need to provide on this page. In most cases, you will have to provide either a license code or an agreement number. Consult the documentation provided when you purchased your TS CALs.
  8. After you have entered the required information, click Next.
  9. On the Product Version and License Type page, select the appropriate product version, license type, and quantity of TS CALs for your environment based on your TS CAL purchase agreement, and then click Next.
  10. The Microsoft Clearinghouse is automatically contacted and processes your request. The TS CALs are then automatically installed onto the license server.
  11. To complete the process, click Finish. The license server can now issue TS CALs to clients that connect to a terminal server.

If the issue persists after assigning the appropriate permissions and reinstalling the TS CALs, rebuild the TS Licensing database on the license server.

Rebuild the TS Licensing database on the license server

To rebuild the TS Licensing database, locate the TS Licensing database, and then do the following:

  • Stop the Terminal Services Licensing service.
  • Rename the folder that contains the TS Licensing database.
  • Create a new folder for the TS Licensing database.
  • Start the Terminal Services Licensing service.

After the TS Licensing database is rebuilt, reinstall the Terminal Services client access licenses (TS CALs) onto the license server.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Locate the TS Licensing database

By default, the TS Licensing database is located in the %systemroot%\system32\lserver folder (where %systemroot% is the folder in which the operating system is installed, which is, by default, c:\windows).

To confirm the location of the TS Licensing database:

  1. On the license server, open TS Licensing Manager. To open TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click All Servers, click the name of the license server, and then on the Action menu, click Review Configuration.
  4. The database location is listed at the top of the Configuration dialog box.

Rebuild the TS Licensing database

To rebuild the TS Licensing database:

  1. On the license server, close TS Licensing Manager if it is open.
  2. On the license server, open the Services snap-in. To open the Services snap-in, click Start, point to Administrative Tools, and then click Services.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. In the Services pane, right-click Terminal Services Licensing, and then click Properties.
  5. Under Service status, click Stop.
  6. Confirm that the Services Status is listed as Stopped, and then click OK to close the Terminal Services Licensing Properties dialog box.
  7. On the license sever, use Windows Explorer to navigate to the folder containing the TS Licensing database.
  8. Right-click the folder, click Rename, type lserverold, and then press ENTER.
  9. On the File menu, point to New, and then click Folder.
  10. Type the original name of the TS Licensing database folder (for example, lserver), and then press ENTER.
  11. Open the Services snap-in.
  12. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  13. In the Services pane, right-click Terminal Services Licensing, and then click Properties.
  14. Under Service status, click Start.
  15. Confirm that the Services Status is listed as Started, and then click OK to close the Terminal Services Licensing Properties dialog box.

Reinstall the Terminal Services client access licenses (TS CALs) by using the telephone method

When you call the Microsoft Clearinghouse to reinstall the TS CALs onto the license server, ensure that your License Purchase Agreement information is readily available.

To reinstall TS CALs by using the telephone method:

  1. On the license server, open TS Licensing Manager. To open TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click All Servers, click the name of the license server, and then on the View menu, click Properties.
  4. On the Connection Method tab, in the Connection method list, select Telephone.
  5. In the Select Country or Region list, select the appropriate country/region.
  6. Click OK to close the Properties dialog box.
  7. Right-click the license server, and then click Install Licenses.
  8. Click Next.
  9. On the Obtain client license key pack page, use the telephone number that is displayed to call the Microsoft Clearinghouse, and give the representative your Terminal Services license server ID and the required information for the licensing program through which you purchased your TS CALs. The representative then processes your request to install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to as the license key pack ID.

    Important:  Retain a copy of the license key pack ID. Having this information with you will facilitate communications with the Microsoft Clearinghouse should you need assistance with recovering TS CALs.

  10. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the license key pack ID provided by the representative into the boxes provided, and then click Next. The TS CALs are installed onto the license server.
  11. To complete the process, click Finish. The license server can now issue TS CALs to clients that connect to a terminal server.

Verify

To verify the location of the TS Licensing database, use Review Configuration in the TS Licensing Manager tool. By default, the TS Licensing database is located in the %systemroot%\system32\lserver folder (where %systemroot% is the folder in which the operating system is installed, which is, by default, c:\windows).

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To verify the location of the database folder:

  1. On the license server, open TS Licensing Manager. To open TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click All Servers, click the name of the license server, and then on the Action menu, click Review Configuration.
  4. The database location is listed at the top of the Configuration dialog box.

Use Windows Explorer to navigate to the folder containing the TS Licensing database to confirm its existence and that it contains the tslic.edb file.

Related Management Information

Terminal Services License Server Database Availability

Terminal Services

Related:

Event ID 35 — AD CS Online Responder Service

Event ID 35 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 35
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_CACONFIG_INSTALL_ENROLLMENT_RESPONSE_FAILED
Message: Online Responder Service: For configuration %1, failed to install the enrollment response for the signing certificate template %2.%3(%4)

Resolve
Submit an enrollment request for a properly configured signing certificate

 To resolve this problem:

  • Follow the procedure in the “Enroll manually for an OCSP Response Signing certificate” section.
  • If enrollment for an OCSP Response Signing certificate was successful but the certificate cannot be used by the Online Responder service, complete the procedure in the “Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE” section.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Enroll manually for an OCSP Response Signing certificate

To manually enroll for an OCSP Response Signing certificate:

  1. Click Start, type mmc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the Computer account check box, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. Double-click Personal, and then double-click Certificates.
  7. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.
  8. Use the wizard to complete the enrollment process.

Note: The previous procedure assumes that the OCSP Response Signing certificate was configured for manual enrollment. If the OCSP Response Signing certificate template was configured for autoenrollment, you can use the same procedure but open the Certificates snap-in for the Online Responder service account rather than the computer account.

If the certificate enrollment process fails, then it may be that:

  • There is a problem connecting to the CA. Confirm that the computer on which the Online Responder service is running can connect to a CA. 
  • The OCSP Response Signing certificate template has not been configured with Read and Enroll permissions for the computer account on which the Online Responder has been installed. Open the Certificate Templates snap-in, right-click the OCSP Response Signing certificate template, click Properties, and then click the Security tab to confirm that the computer running the Online Responder has these permissions.
  • The OCSP Response Signing certificate template has not been properly configured for use by the CA. Click Start, point to Administrative Tools, and click Certification Authority on the CA, and click the Certificate Templates container to confirm that it contains the OCSP Response Signing template.

Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE

To ensure that the private key for the OCSP Response Signing certificate is accessible to NETWORK SERVICE:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and click Add.
  4. Click Computer account, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. In the console tree, double-click Certificates, double-click Personal, and click Certificates.
  7. In the details pane, click OCSP Response Signing.
  8. On the Actions menu, point to All Tasks, and click Manage Private Keys.
  9. Click Add, type NETWORK SERVICE, and then click OK.
  10. Ensure that only the Read permission is allowed for NETWORK SERVICE, and then click OK.
  11. Restart the Online Responder service.

If the OCSP Response Signing certificate is not valid for signature purposes, enroll for a certificate that includes the id-kp-OCSPSigning enhanced key usage, labeled OCSP Signing (1.3.6.1.5.5.7.3.9).

If the error persists, check the event log on the CA for any other events related to enrollment failures. For more information, see Troubleshooting: AD CS – Certificate Request (Enrollment) Processing (http://go.microsoft.com/fwlink/?LinkId=104210).

Resolve any issues related to processing requests for OCSP Response Signing certificates, and then restart the Online Responder service to attempt the request again. 

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

Event ID 34 — AD CS Online Responder Service

Event ID 34 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 34
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_CACONFIG_SUBMIT_ENROLLMENT_REQUEST_FAILED
Message: Online Responder Service: For configuration %1, an error occurred while submitting the enrollment request to the certification authority %2.%3(%4)

Resolve
Submit an enrollment request for a properly configured signing certificate

 To resolve this problem:

  • Follow the procedure in the “Enroll manually for an OCSP Response Signing certificate” section.
  • If enrollment for an OCSP Response Signing certificate was successful but the certificate cannot be used by the Online Responder service, complete the procedure in the “Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE” section.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Enroll manually for an OCSP Response Signing certificate

To manually enroll for an OCSP Response Signing certificate:

  1. Click Start, type mmc, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the Computer account check box, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. Double-click Personal, and then double-click Certificates.
  7. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.
  8. Use the wizard to complete the enrollment process.

Note: The previous procedure assumes that the OCSP Response Signing certificate was configured for manual enrollment. If the OCSP Response Signing certificate template was configured for autoenrollment, you can use the same procedure but open the Certificates snap-in for the Online Responder service account rather than the computer account.

If the certificate enrollment process fails, then it may be that:

  • There is a problem connecting to the CA. Confirm that the computer on which the Online Responder service is running can connect to a CA. 
  • The OCSP Response Signing certificate template has not been configured with Read and Enroll permissions for the computer account on which the Online Responder has been installed. Open the Certificate Templates snap-in, right-click the OCSP Response Signing certificate template, click Properties, and then click the Security tab to confirm that the computer running the Online Responder has these permissions.
  • The OCSP Response Signing certificate template has not been properly configured for use by the CA. Click Start, point to Administrative Tools, and click Certification Authority on the CA, and click the Certificate Templates container to confirm that it contains the OCSP Response Signing template.

Confirm access to the OCSP Response Signing certificate by NETWORK SERVICE

To ensure that the private key for the OCSP Response Signing certificate is accessible to NETWORK SERVICE:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and click Add.
  4. Click Computer account, and click Next.
  5. Select the computer hosting the Online Responder, click Finish, and then click OK.
  6. In the console tree, double-click Certificates, double-click Personal, and click Certificates.
  7. In the details pane, click OCSP Response Signing.
  8. On the Actions menu, point to All Tasks, and click Manage Private Keys.
  9. Click Add, type NETWORK SERVICE, and then click OK.
  10. Ensure that only the Read permission is allowed for NETWORK SERVICE, and then click OK.
  11. Restart the Online Responder service.

If the OCSP Response Signing certificate is not valid for signature purposes, enroll for a certificate that includes the id-kp-OCSPSigning enhanced key usage, labeled OCSP Signing (1.3.6.1.5.5.7.3.9).

If the error persists, check the event log on the CA for any other events related to enrollment failures. For more information, see Troubleshooting: AD CS – Certificate Request (Enrollment) Processing (http://go.microsoft.com/fwlink/?LinkId=104210).

Resolve any issues related to processing requests for OCSP Response Signing certificates, and then restart the Online Responder service to attempt the request again. 

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

Event ID 28 — Volume Shadow Copy Service Operations

Event ID 28 — Volume Shadow Copy Service Operations

Updated: January 27, 2011

Applies To: Windows Server 2008

The Volume Shadow Copy Service (VSS) provides the ability to create a point in time image (shadow copy) of one or more volumes that can be used to perform backups. The service is also used during restores of applications.

Event Details

Product: Windows Operating System
ID: 28
Source: VSS
Version: 6.0
Symbolic Name: VSS_ERROR_SWPRV_DISABLED
Message: Volume Shadow Copy Service error: The Microsoft Software Shadow Copy Provider (SWPRV) service is disabled. Please enable the service and try again. %1

Resolve
Ensure that the Microsoft Software Shadow Copy Provider service is enabled

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To ensure that the Microsoft Software Shadow Copy Provider service is enabled:

  1. Click Start, click Administrative Tools, and then click Services.
  2. In the results pane, double-click Microsoft Software Shadow Copy Provider.
  3. Make sure Startup type is set to Manual.
  4. Click OK.

Verify

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To verify that the Volume Shadow Copy Service is started:

  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the results pane, double-click Volume Shadow Copy.
  3. In Service status, make sure that the status is Started. If the status is not Started, click Start.
  4. Make sure Startup type is set to Manual.
  5. Click OK.

Related Management Information

Volume Shadow Copy Service Operations

File Services

Related: