DCOM error with NTBACKUP and Certificate Services

[paul]

I'm using NTBACKUP (v5.0) to create System State backups
of a W2K SP4 Domain Controller that is also a Certificate
Server. The DC is configured as an enterprise root CA
which we want offline - rather than disconnect from the
network we have stopped the CertSvc service and set it to
manual - certificates are thus only provided by an online
subordinate. The CertSvc service is set to log on as Local
System, Interact with Desktop.

When I run NTBACKUP to do System State, the following
error appears in the System log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 29/12/2003
Time: 16:28:55
User: Domain\Account
Computer: Server01
Description:
Access denied attempting to launch a DCOM Server. The
server is:
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
The user is Account/Domain, SID=x-x-x-xx-xxxxxxxxxx-
xxxxxxxxx-xxxxxxxxxx-xxxx.

The GUID relates to CertSrv Admin so it would appear that
NTBACKUP is attempting to start something to backup the
database. Checking DCOMCNFG indicates that CertSrv Admin
security is using Custom Permissions of Everyone Access
but No-one Launch - I don't know whether to change this,
and what the implications are.

The account that is referenced in the error is a local
admin and can manually control CertSvc, so I'm not clear
what context NTBACKUP is running under, or indeed what
it's trying to do.

If I start CertSvc manually and run NTBACKUP I don't get
the error. Also, with the backup log set to Detailed I can
see an additional folder (Folder System State\Certificate
Server) included in the backup, with approx 15Mb
additional data.

so...
have I missed something in the configuration of
CertSvc/DCOM or NTBACKUP, or is this a problem with
NTBACKUP that means I must have CertSvc running during
each System State backup?

regards
paul

psqry1203

 

[Brian Komar]

Some answers inline...

I'm using NTBACKUP (v5.0) to create System State backups
of a W2K SP4 Domain Controller that is also a Certificate
Server. The DC is configured as an enterprise root CA
which we want offline - rather than disconnect from the
network we have stopped the CertSvc service and set it to
manual - certificates are thus only provided by an online
subordinate. The CertSvc service is set to log on as Local
System, Interact with Desktop.

To be an offline CA, the CA should be a standalone root CA, not an
enteprise CAs. Enterprise CAs require connectivity to Active Directory.
For details on best practices for a CA hierarchy, see Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/
operate/ws3pkibp.asp

Also, the conversion of an enterprise root CA to a standalone root CA is
discussed in the Operations whitepaper.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/
operate/ws03pkog.asp

When I run NTBACKUP to do System State, the following
error appears in the System log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10002
Date: 29/12/2003
Time: 16:28:55
User: Domain\Account
Computer: Server01
Description:
Access denied attempting to launch a DCOM Server. The
server is:
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
The user is Account/Domain, SID=x-x-x-xx-xxxxxxxxxx-
xxxxxxxxx-xxxxxxxxxx-xxxx.

This is expected. To backup the CA, Certificate Services must be
running. You are receiving the error because you have manually disabled
Certificate Services.

The GUID relates to CertSrv Admin so it would appear that
NTBACKUP is attempting to start something to backup the
database. Checking DCOMCNFG indicates that CertSrv Admin
security is using Custom Permissions of Everyone Access
but No-one Launch - I don't know whether to change this,
and what the implications are.

The account that is referenced in the error is a local
admin and can manually control CertSvc, so I'm not clear
what context NTBACKUP is running under, or indeed what
it's trying to do.

If I start CertSvc manually and run NTBACKUP I don't get
the error. Also, with the backup log set to Detailed I can
see an additional folder (Folder System State\Certificate
Server) included in the backup, with approx 15Mb
additional data.

so...
have I missed something in the configuration of
CertSvc/DCOM or NTBACKUP, or is this a problem with
NTBACKUP that means I must have CertSvc running during
each System State backup?

You got it! CertSvc must be running when performing the System State
backup so that the backup includes the CA database.

Brian

 

[Guest]

Hi Brian

thanks for the comments and links - I'll alter my
configuration to allow for an online enterprise root CA -
however I've spent most of the day looking for details on
how to configure root so it only issues to subordinate -
as far as I can see I need to change the security settings
on the either the Certification Authority (just give
Authenticated Users Read access) or on individual
certificate templates (in Sites and Services), but I've
not found any clear documentation on how best to do this.

again, thanks

regards
paul

-----Original Message-----
Some answers inline...

 

[Brian Komar]

Hi Brian

thanks for the comments and links - I'll alter my
configuration to allow for an online enterprise root CA -
however I've spent most of the day looking for details on
how to configure root so it only issues to subordinate -
as far as I can see I need to change the security settings
on the either the Certification Authority (just give
Authenticated Users Read access) or on individual
certificate templates (in Sites and Services), but I've
not found any clear documentation on how best to do this.

again, thanks

regards
paul

<snip>

If you only want the online enterprise root CA to issue certificates to
subordinate CAs, then you must only publish the Subordinate
Certification Authority certificate template at the online root CA.

To do this, open the Certification Authority console, and click the
Certificate templates (or Policy Settings container in 2k), and then
remove all certificate templates except the Subordinate Certification
Authority certificate template.

In addition, you can set the permissions on the certificate template to
limit who can enroll the template. Use Certtmpl.msc if using Windows
2003 or AD Sites and Services if using 2k.

Brian

 

[Paul]

<snip>

If you only want the online enterprise root CA to issue certificates to
subordinate CAs, then you must only publish the Subordinate
Certification Authority certificate template at the online root CA.

To do this, open the Certification Authority console, and click the
Certificate templates (or Policy Settings container in 2k), and then
remove all certificate templates except the Subordinate Certification
Authority certificate template.

In addition, you can set the permissions on the certificate template to
limit who can enroll the template. Use Certtmpl.msc if using Windows
2003 or AD Sites and Services if using 2k.

Brian

cheers much for clarifying this

have a good new year

regards
paul