Trusted root certificates not synchronize between DC

Tutek 716

Hi,

I just promoted new serv 2022 to current domain as new domain controller, I see that users, coputers, gpo synchronized.

Policydefenitions are auto created in sysvol folder as central store - so everything is good.

But one GPO have settings to apply to all domain computer one certificate from trusted root, but when I do certlm.msc and go to this folder I don't see that this cert was synchronized on the new DC, on the old DC this cert is visible but not on then new DC.

I have no errors in sync:

PS C:\Users\Administrator.domain> Repadmin /replsummary
Replication Summary Start Time: 2023-03-07 08:42:17

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 UKS0001                   17m:51s    0 /   5    0
 UKS01                     07m:23s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 UKS0001                   07m:23s    0 /   5    0
 UKS01                     17m:51s    0 /   5    0

1 answer

Thameur-BOURBITA 32,506

Hi @Tutek

Try to force the GPO by running the following command :

gpupdate /force

Then you can check if the GPO setting for root certificate is well configured in gpo report by running the following command:

gpresult /H c:\temp\gporeport.html

Please don't forget to mark helpful answer as accepted

Tutek 716 Reputation points

2023-03-07T08:35:50.81+00:00

C:\Users\Administrator.domain>gpupdate /force

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

GPO is configured correctly, because on old domain this gpo is working all of domain computers have this certificate installed.

This GPO have two certificates to distribute to all domain computers, one of this cert was synchronized and is visible on the new DC, but as I said this is inside one GPO that is, if this setting didn't work then this one certificate wouldn't have been synchronized
Thameur-BOURBITA 32,506 Reputation points

2023-03-07T08:50:03.7266667+00:00

@Tutek

What do you see in gpo report provided by this command gpresult /H c:\temp\gporeport.html ?

Can you share the report with us ?
Tutek 716 Reputation points

2023-03-07T08:53:21.5833333+00:00

I see only five GPO that are binded to domain controllers OU (where new DC is already) - none have any errors.

But GPO with certificates is not binded to Domain Controllers OU, but to computers OU.
Tutek 716 Reputation points

2023-03-07T08:59:14.1033333+00:00

Here is GPO with two certificates, only this first one ending with ...13 was synchronized on the new DC:
Thameur-BOURBITA 32,506 Reputation points

2023-03-07T09:33:48.84+00:00

@Tutek

Did you try to reboot the new DC ?

Did your try to reimport the certificate in the GPO ?

Please don't forget to mark helpful answer as accepted
Tutek 716 Reputation points

2023-03-07T09:48:32.1566667+00:00

I did a reboot now, this not helped.
Is there any event viewer ID because only one certificate was synced inside gpo there must be any evidence or warning about this.
Yes for sure I can manually install this cert on new DC, but rather I would to know what is going on, maybe there is a synchronization error that affects other gpo's as well, so far I have only noticed this one problem but there may be more.
Thameur-BOURBITA 32,506 Reputation points

2023-03-07T10:01:17.7666667+00:00

Can you run the command below and share the result :

dcdiag

Tutek 716

From the new DC (error about DHCP is know because was not yet autorized)

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\Administrator.domain> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = uks01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\UKS01
      Starting test: Connectivity
         ......................... UKS01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\UKS01
      Starting test: Advertising
         ......................... UKS01 passed test Advertising
      Starting test: FrsEvent
         ......................... UKS01 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... UKS01 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... UKS01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... UKS01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... UKS01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... UKS01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... UKS01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... UKS01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... UKS01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... UKS01 passed test Replications
      Starting test: RidManager
         ......................... UKS01 passed test RidManager
      Starting test: Services
         ......................... UKS01 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 03/07/2023   10:45:04
            Event String:
            Sterownik wykrył włączony bufor zapisu urządzenia \Device\Harddisk0\DR0. Może wystąpić uszkodzenie danych.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 03/07/2023   10:45:04
            Event String:
            Sterownik wykrył włączony bufor zapisu urządzenia \Device\Harddisk0\DR0. Może wystąpić uszkodzenie danych.
         A warning event occurred.  EventID: 0x80040020
            Time Generated: 03/07/2023   10:45:04
            Event String:
            Sterownik wykrył włączony bufor zapisu urządzenia \Device\Harddisk0\DR0. Może wystąpić uszkodzenie danych.
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 03/07/2023   10:45:09
            Event String:
            Upłynął limit czasu rozpoznawania nazwy _ldap._tcp.dc._msdcs.ad.domain.pl. po tym, jak żaden ze skonfigurowanych serwerów DNS nie odpowiedział.
         A warning event occurred.  EventID: 0x00002724
            Time Generated: 03/07/2023   10:45:38
            Event String:
            Ten komputer ma co najmniej jeden przypisany dynamicznie adres IPv6. Aby zapewnić niezawodne działanie serwera DHCPv6, należy używać tylko statycznych adresów IPv6.
         An error event occurred.  EventID: 0x00000416
            Time Generated: 03/07/2023   10:45:38
            Event String:
            Usługa DHCP/BINL, zainstalowana na lokalnym komputerze, należącym do domeny administracyjnej Windows ad.domain.pl, ustaliła, że nie jest autoryzowana do uruchomienia. Usługa przestała obsługiwać klientów. Oto kilka możliwych powodów:
         An error event occurred.  EventID: 0xC0001B5E
            Time Generated: 03/07/2023   10:45:45
            Event String: Wywołanie ScRegSetValueExW dla Description nie powiodło się i wystąpił następujący błąd:
         A warning event occurred.  EventID: 0x00002720
            Time Generated: 03/07/2023   10:47:56
            Event String:
            Zgodnie z ustawieniami uprawnienia właściwe dla aplikacji nie jest udzielane uprawnienie Lokalny Uruchom do aplikacji serwera COM z identyfikatorem klasy CLSID
         ......................... UKS01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... UKS01 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ad
      Starting test: CheckSDRefDom
         ......................... ad passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ad passed test CrossRefValidation

   Running enterprise tests on : ad.domain.pl
      Starting test: LocatorCheck
         ......................... ad.domain.pl passed test LocatorCheck
      Starting test: Intersite
         ......................... ad.domain.pl passed test Intersite
PS C:\Users\Administrator.domain>

Thameur-BOURBITA 32,506 Reputation points

2023-03-07T10:28:32.2766667+00:00
@Tutek

You have error on Sysvol replication as mentioned here :

Starting test: DFSREvent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.

Sysvol replication can impact the application of GPO settings. You should fix it to be sure that all domain controllers have the same GPOs and last modifications. You can launch non-authoritative synchronization restore to fix this replication issue:

How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication

Please don't forget to mark helpful answer as accepted
Tutek 716 Reputation points

2023-03-07T11:02:34.13+00:00

When I look at event viewer for DFS, I have:

3.Warnings 4614, 6804, 6016 - these are from time when I promoted DC as new domain controller - did not appear no more later.

1.Error 6104 - appear one hour ago.
Thameur-BOURBITA 32,506 Reputation points

2023-03-07T11:19:02.5266667+00:00

If the sysvol replication is fine and the GPO settings is well applied on target DC, the problem should be on the certificate. Can your import it again to the GPO and check if you still have the same issue after running GPupdate /force ?
Tutek 716 Reputation points

2023-03-07T11:24:08.34+00:00

I have manually imported missing cert into trusted root, after gpudate /force is still there.

If I look on the new DC at sysvol: c:\Windows\SYSVOL\sysvol\ad.domain.pl\scripts\
I have all my custom folders here, scripts, msi files etc are there.

But on old DC I have multiple events ID 5014 with error: Error: 1723 (The RPC server is too busy to complete this operation.)

Maybe any firewall ports should be open on the new DC?
Thameur-BOURBITA 32,506 Reputation points

2023-03-07T11:43:41.07+00:00

@Tutek

There is another way to publish root certificate in active directory and it will imported automatically to root certificate store on each member machine : certutil -dspublish -f root_CA_Path RootCA

I prefer to use this method instead of GPO, because GPO depend on SYSVOL replication health.

Please don't forget to close the thread if your issue is resolved by accepting helpful answer