affa Posted October 8, 2005 Report Share Posted October 8, 2005 From my other thread I am getting this on boot after restores: Retrospect Helper - The Writer Certificate Authority failed and could not be restored after this the Certificate Authority stops working, I'd get KDC failures and also a mountain of DCOM (or was it COM+) error would flood into the event logs. Any help appreciated. Link to comment Share on other sites More sharing options...
natew Posted October 10, 2005 Report Share Posted October 10, 2005 Hi For those new to the thread: OS is windows 2003 service pack 1 Affa, In your other post you mentioned that your restore was sucessful after you installed windows 2003, installed SP1 and then ran the restore. Are you still getting these errors in that situation? Thanks Nate Link to comment Share on other sites More sharing options...
affa Posted October 10, 2005 Author Report Share Posted October 10, 2005 Thank nate for bringing everyone up to speed. The target system is an IBM x235 server with Serveraid 5i RAID, dual proc (4 if you count HT) and 4gigs of ram. It runs Win2k3 SP1 + hotfixes and is a domain controller. Yes, I believe this problem has little to do with the SP1 per se. I have tried restoring into a fresh OS with SP1 and also just a normal network client restore over the top of the existing OS image (i.e. rolling system back) Link to comment Share on other sites More sharing options...
lafong Posted October 10, 2005 Report Share Posted October 10, 2005 I get the exact same error. This is with a fresh install of W2K3, SP1, all hotfixes and updates. My server is also a domain controller, certificate authority, and has Exchange installed. Dual-core 3.4GHz CPU, 2GB memory, Dell CERC SATA RAID card. If anything, it might be that SP1 or one of the hotfixes broke it. Link to comment Share on other sites More sharing options...
natew Posted October 11, 2005 Report Share Posted October 11, 2005 Hi Let me do some digging on this. Thanks nate Link to comment Share on other sites More sharing options...
lafong Posted October 11, 2005 Report Share Posted October 11, 2005 I was able to avoid the error this last time. I installed W2K3, SP1, and all updates, as before. The difference this time was 2 things: Before restoring: 1) Installed Certificate Services. 2) Assigned Administrator password, to the same value as that in the backup. I thought maybe it wanted some of the cert infrastructure in place first. I also thought restoring certs might be password sensitive. (I'm guessing it's the password). Tomorrow, I'll see which one of those two fixed it, unless you already know which. Link to comment Share on other sites More sharing options...
affa Posted October 11, 2005 Author Report Share Posted October 11, 2005 lafong, perhaps... but I am fairly sure I was just rolling back amachine which has cert auth on it already, so both the infrastructure and password are already there..... So far I'm running a 100% strike rate on this error..... I'm not so lucky..... My hunch is that this is another issue brought upon with the SP1...... Thanks nate for digging, we eagerly await your solution. Cheers, Arthur Link to comment Share on other sites More sharing options...
natew Posted October 12, 2005 Report Share Posted October 12, 2005 Hi affa, Unfortunately I haven't found anything that states this is a known issue. You are using Retrospect 7.0.326 right? The helper serveice generates a log file called "rthlpsvc.log" in the Retrospect program directory. This log gets deleted on reboot so we need to get a copy of it after you boot into directory services restore mode, the helper service runs and before you reboot the system. Some other basic questions if I may (just to make sure) Were there any errors when you ran the backup? Have you tried restoring other snapshots? Did you exclude any files from backup either manually or with a selector? Thanks Nate Link to comment Share on other sites More sharing options...
affa Posted October 12, 2005 Author Report Share Posted October 12, 2005 this is going to sound really stupid but no, we're not running the latest version. I'm going to do that during the window later this weekend and test it out (along with the DR CD test in the my other thread). I shall report back. Regards, Arthur Link to comment Share on other sites More sharing options...
lafong Posted October 12, 2005 Report Share Posted October 12, 2005 I'm running the latest 6.5 version. I tried a couple more times. It wasn't the admin password, it was the certificate services. If I install certificate services on the temp installation, before restoring, I don't get the Writer Certificate Authority error. But certs still don't get restored correctly. I now get a bunch of KDC and cert errors, and cert services won't start. I thought you said that you were using RS7 in the other thread, affa, so that's why I haven't tried it yet. I've got the demo version which I'll try out soon. Link to comment Share on other sites More sharing options...
lafong Posted October 13, 2005 Report Share Posted October 13, 2005 Just completed a restore with the latest version, 7.0.326. Same error exactly. If cert restore works with some servers, it must be caused by some combination of stuff on our server: Active Directory domain controller, Certificate Authority, Exchange. I do not want to implement this server until I can be reasonably sure that Retrospect is able to restore it. After complete restore, I get this error upon every reboot: Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 94 Date: 10/13/2005 Time: 11:23:59 AM User: N/A Computer: EXCHANGE Description: Certificate Services exchange.somewhere.com can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. Link to comment Share on other sites More sharing options...
affa Posted October 13, 2005 Author Report Share Posted October 13, 2005 That's what I got. so I guess 7.0.326 didn't fix it..... I had this error on both of the DC's here. One is a AD, DC, exchange and subordinate CA, the other is a AD, DC and root CA. Link to comment Share on other sites More sharing options...
natew Posted October 14, 2005 Report Share Posted October 14, 2005 Hi Were either of you able to grab a copy of that log? I'd like to pass it on to the developers for review? Thanks, Nate @ EMC Dantz Support Link to comment Share on other sites More sharing options...
affa Posted October 14, 2005 Author Report Share Posted October 14, 2005 Can you tell me which file you want specifically? Is that the one that I have to grab while in AD recovery mode? Or is there a debug log that you want? If I can get the info from you I'll do another test this weekend. Cheers, Arthur Link to comment Share on other sites More sharing options...
natew Posted October 17, 2005 Report Share Posted October 17, 2005 Hi The helper serveice generates a log file called "rthlpsvc.log" in the Retrospect program directory. This log gets deleted on reboot so we need to get a copy of it after you boot into directory services restore mode, the helper service runs and before you reboot the system. Yes, this is the one you have to get after the helper service runs and before you reboot. Thanks Nate Link to comment Share on other sites More sharing options...
lafong Posted October 17, 2005 Report Share Posted October 17, 2005 From my post in the original thread: "The Helper log is no help. It's either blank at one point, or has a "nothing to do" message when the restore is all done. The cert service will start, but the certs are not restored. " Link to comment Share on other sites More sharing options...
lafong Posted October 21, 2005 Report Share Posted October 21, 2005 Finally had a successful restore. I used Windows Backup to backup System State to a file. This gets the Certificate Server, Active Directory, COM+, etc. I also backed up the CA only to a folder from within the Certification Authority tool itself. After restoring the drive, and letting Retrospect Helper do its thing, I restored System State. This also has to be done in Directory Services Restore Mode. I tried just restoring the backup I had made from the Certification Authority tool, but that didn't work. Essentially, I just did manually what Retrospect Helper is supposed to do automatically. I'll just schedule a daily System State backup to a file in Windows Backup. It's a pretty large file, >500MB, so I'll overwrite the previous day's. Retrospect will then put a copy on tape. It'd be nice if this bug got fixed though. Link to comment Share on other sites More sharing options...
natew Posted October 25, 2005 Report Share Posted October 25, 2005 Hi, I suspect the restore will work if you export the keys prior to backup and then import them after restore. My understanding is that this process should not be required but I am trying to find out for sure. Is the partition and directory structure of the restored machine identical to that of the source machine? Thanks Nate Link to comment Share on other sites More sharing options...
lafong Posted October 25, 2005 Report Share Posted October 25, 2005 I tried just exporting from the CA. That didn't work. Can't remember the exact error now, but the CA seemed to not be communicating with AD. When I backed up System Settings, it worked. This is a brand new, vanilla install, and all partitions and directories are exactly the same. Link to comment Share on other sites More sharing options...
natew Posted November 1, 2005 Report Share Posted November 1, 2005 Lafong and affa, I'd like to thank you on behalf of EMC Dantz for all your time and effort in troubleshooting this issue. Thanks to your efforts we have found the cause of the problem. Details and workarounds are in this article: http://kb.dantz.com/article.asp?article=8139&p=2 Thanks again! Nate @ EMC Dantz support Link to comment Share on other sites More sharing options...
lafong Posted November 2, 2005 Report Share Posted November 2, 2005 Tried the fix. Indeed, the error is gone when I boot into Directory Services mode. However, I still get the Event Log error I cited earlier, every time I boot up: Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 94 Date: 11/01/2005 Time: 11:23:59 AM User: N/A Computer: EXCHANGE Description: Certificate Services exchange.somewhere.com can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. Within a second or two after that error, I get this: Event Type: Information Event Source: CertSvc Event Category: None Event ID: 26 Date: 11/1/2005 Time: 11:24:02 AM User: N/A Computer: EXCHANGE Description: Certificate Services for exchange.somewhere.com was started. DC=EXCHANGE I'm not sure if it was restored successfully or not. In any case, I don't want this error. Link to comment Share on other sites More sharing options...
RonaldL Posted November 2, 2005 Report Share Posted November 2, 2005 Did you use the first or second workaround? Link to comment Share on other sites More sharing options...
lafong Posted November 3, 2005 Report Share Posted November 3, 2005 > Did you use the first or second workaround? The first. Then I tried the 2nd method. over a clean install, which failed with the original error. Link to comment Share on other sites More sharing options...
RonaldL Posted November 3, 2005 Report Share Posted November 3, 2005 Was the first method over a clean install of Windows 2003 updated to SP1? If not, could you please try the first method over a clean install of Windows 2003 updated to SP1? And just to verify, for the second method, you received the "The Writer Certificate Authority failed and could not be restored" error? Link to comment Share on other sites More sharing options...
lafong Posted November 3, 2005 Report Share Posted November 3, 2005 > Was the first method over a clean install of Windows 2003 updated to SP1? If not, could you > please try the first method over a clean install of Windows 2003 updated to SP1? Yes, it was over a clean install of W2K3 SP1. > And just to verify, for the second method, you received the "The Writer Certificate Authority > failed and could not be restored" error? Yes. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.