Jump to content
Sign in to follow this  
affa

Retrospect Helper - The Writer Certificate Authority failed

Recommended Posts

From my other thread

 

I am getting this on boot after restores:

 

Retrospect Helper - The Writer Certificate Authority failed and could not be restored

 

after this the Certificate Authority stops working, I'd get KDC failures and also a mountain of DCOM (or was it COM+) error would flood into the event logs.

 

Any help appreciated.

Share this post


Link to post
Share on other sites

Hi

 

For those new to the thread:

OS is windows 2003 service pack 1

 

Affa,

In your other post you mentioned that your restore was sucessful after you installed windows 2003, installed SP1 and then ran the restore. Are you still getting these errors in that situation?

 

Thanks

Nate

Share this post


Link to post
Share on other sites

Thank nate for bringing everyone up to speed.

 

The target system is an IBM x235 server with Serveraid 5i RAID, dual proc (4 if you count HT) and 4gigs of ram. It runs Win2k3 SP1 + hotfixes and is a domain controller.

 

Yes, I believe this problem has little to do with the SP1 per se. I have tried restoring into a fresh OS with SP1 and also just a normal network client restore over the top of the existing OS image (i.e. rolling system back)

Share this post


Link to post
Share on other sites

I get the exact same error. This is with a fresh install of W2K3, SP1, all hotfixes and updates. My server is also a domain controller, certificate authority, and has Exchange installed. Dual-core 3.4GHz CPU, 2GB memory, Dell CERC SATA RAID card. If anything, it might be that SP1 or one of the hotfixes broke it.

Share this post


Link to post
Share on other sites

I was able to avoid the error this last time. I installed W2K3, SP1, and all updates, as before. The difference this time was 2 things:

 

Before restoring:

1) Installed Certificate Services.

2) Assigned Administrator password, to the same value as that in the backup.

 

I thought maybe it wanted some of the cert infrastructure in place first. I also thought restoring certs might be password sensitive. (I'm guessing it's the password).

 

Tomorrow, I'll see which one of those two fixed it, unless you already know which. grin.gif

Share this post


Link to post
Share on other sites

lafong, perhaps... but I am fairly sure I was just rolling back amachine which has cert auth on it already, so both the infrastructure and password are already there.....

 

So far I'm running a 100% strike rate on this error..... I'm not so lucky.....

 

My hunch is that this is another issue brought upon with the SP1......

 

Thanks nate for digging, we eagerly await your solution.

 

Cheers,

Arthur

Share this post


Link to post
Share on other sites

Hi affa,

 

Unfortunately I haven't found anything that states this is a known issue.

 

You are using Retrospect 7.0.326 right?

 

The helper serveice generates a log file called "rthlpsvc.log" in the Retrospect program directory. This log gets deleted on reboot so we need to get a copy of it after you boot into directory services restore mode, the helper service runs and before you reboot the system.

 

Some other basic questions if I may (just to make sure)

Were there any errors when you ran the backup? Have you tried restoring other snapshots? Did you exclude any files from backup either manually or with a selector?

 

Thanks

Nate

Share this post


Link to post
Share on other sites

this is going to sound really stupid but no, we're not running the latest version. I'm going to do that during the window later this weekend and test it out (along with the DR CD test in the my other thread).

 

I shall report back.

 

Regards,

Arthur

Share this post


Link to post
Share on other sites

I'm running the latest 6.5 version. I tried a couple more times. It wasn't the admin password, it was the certificate services. If I install certificate services on the temp installation, before restoring, I don't get the Writer Certificate Authority error. But certs still don't get restored correctly. I now get a bunch of KDC and cert errors, and cert services won't start. I thought you said that you were using RS7 in the other thread, affa, so that's why I haven't tried it yet. I've got the demo version which I'll try out soon.

Share this post


Link to post
Share on other sites

Just completed a restore with the latest version, 7.0.326. Same error exactly. If cert restore works with some servers, it must be caused by some combination of stuff on our server: Active Directory domain controller, Certificate Authority, Exchange. I do not want to implement this server until I can be reasonably sure that Retrospect is able to restore it.

 

After complete restore, I get this error upon every reboot:

 

Event Type: Warning

Event Source: CertSvc

Event Category: None

Event ID: 94

Date: 10/13/2005

Time: 11:23:59 AM

User: N/A

Computer: EXCHANGE

Description:

Certificate Services exchange.somewhere.com can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container.

Share this post


Link to post
Share on other sites

That's what I got. so I guess 7.0.326 didn't fix it..... frown.gif

 

I had this error on both of the DC's here. One is a AD, DC, exchange and subordinate CA, the other is a AD, DC and root CA.

Share this post


Link to post
Share on other sites

Hi

 

Were either of you able to grab a copy of that log? I'd like to pass it on to the developers for review?

 

Thanks,

Nate @ EMC Dantz Support

Share this post


Link to post
Share on other sites

Can you tell me which file you want specifically?

 

Is that the one that I have to grab while in AD recovery mode?

 

Or is there a debug log that you want?

 

If I can get the info from you I'll do another test this weekend.

 

Cheers,

Arthur

Share this post


Link to post
Share on other sites

Hi

 

The helper serveice generates a log file called "rthlpsvc.log" in the Retrospect program directory. This log gets deleted on reboot so we need to get a copy of it after you boot into directory services restore mode, the helper service runs and before you reboot the system.

 

Yes, this is the one you have to get after the helper service runs and before you reboot.

 

Thanks

Nate

Share this post


Link to post
Share on other sites

From my post in the original thread:

"The Helper log is no help. It's either blank at one point, or has a "nothing to do" message when the restore is all done. The cert service will start, but the certs are not restored. "

Share this post


Link to post
Share on other sites

Finally had a successful restore. I used Windows Backup to backup System State to a file. This gets the Certificate Server, Active Directory, COM+, etc. I also backed up the CA only to a folder from within the Certification Authority tool itself. After restoring the drive, and letting Retrospect Helper do its thing, I restored System State. This also has to be done in Directory Services Restore Mode. I tried just restoring the backup I had made from the Certification Authority tool, but that didn't work.

 

Essentially, I just did manually what Retrospect Helper is supposed to do automatically. I'll just schedule a daily System State backup to a file in Windows Backup. It's a pretty large file, >500MB, so I'll overwrite the previous day's. Retrospect will then put a copy on tape. It'd be nice if this bug got fixed though.

Share this post


Link to post
Share on other sites

Hi,

 

I suspect the restore will work if you export the keys prior to backup and then import them after restore. My understanding is that this process should not be required but I am trying to find out for sure.

 

Is the partition and directory structure of the restored machine identical to that of the source machine?

 

Thanks

Nate

Share this post


Link to post
Share on other sites

I tried just exporting from the CA. That didn't work. Can't remember the exact error now, but the CA seemed to not be communicating with AD.

 

When I backed up System Settings, it worked. This is a brand new, vanilla install, and all partitions and directories are exactly the same.

Share this post


Link to post
Share on other sites

Tried the fix. Indeed, the error is gone when I boot into Directory Services mode. However, I still get the Event Log error I cited earlier, every time I boot up:

 

 

 

Event Type: Warning

 

Event Source: CertSvc

 

Event Category: None

 

Event ID: 94

 

Date: 11/01/2005

 

Time: 11:23:59 AM

 

User: N/A

 

Computer: EXCHANGE

 

Description:

 

Certificate Services exchange.somewhere.com can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container.

 

 

 

Within a second or two after that error, I get this:

 

 

 

Event Type: Information

 

Event Source: CertSvc

 

Event Category: None

 

Event ID: 26

 

Date: 11/1/2005

 

Time: 11:24:02 AM

 

User: N/A

 

Computer: EXCHANGE

 

Description:

 

Certificate Services for exchange.somewhere.com was started. DC=EXCHANGE

 

 

 

I'm not sure if it was restored successfully or not. In any case, I don't want this error.

Share this post


Link to post
Share on other sites

> Did you use the first or second workaround?

 

The first. Then I tried the 2nd method. over a clean install, which failed with the original error.

Share this post


Link to post
Share on other sites

Was the first method over a clean install of Windows 2003 updated to SP1? If not, could you please try the first method over a clean install of Windows 2003 updated to SP1?

 

And just to verify, for the second method, you received the "The Writer Certificate Authority failed and could not be restored" error?

Share this post


Link to post
Share on other sites

> Was the first method over a clean install of Windows 2003 updated to SP1? If not, could you

> please try the first method over a clean install of Windows 2003 updated to SP1?

 

Yes, it was over a clean install of W2K3 SP1.

 

 

> And just to verify, for the second method, you received the "The Writer Certificate Authority

> failed and could not be restored" error?

 

Yes.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×