question

MahyarS-7941 avatar image
0 Votes"
MahyarS-7941 asked MahyarS-7941 answered

Certificate error on all clients

Hi

We have a domain controller that is about 12 years old, the OS itself has been upgraded regularly (now it is Windows Server 2019) because in these years a lot of setting has been changed or a couple of services connected to Active Directory then disconnected, a lot of junks has been leftover and many services not work as proper as used to.
Therefore, we need a way to clean up our domain controller.
Recently we seize our primary DC and install a fresh OS but when making it primary again, it takes back all those crap from our additional DC, so back, to where we are

The reason I ask you is that recently an annoying problem occurred, any Windows PC that joins our domain get SSL Cert error even for google.com
I create a policy on top of the tree and import an updated version of certificates from Microsoft and enforce that policy but the problem still exists.

PS: dcdiag.exe is showing everything pass


Thank you in advanced

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered MahyarS-7941 commented

Hi @MahyarS-7941,

Thanks a lot for posting here.

Before and after we make any change to our AD environment, please kindly make sure that all domain controllers work well and the replication status among the domain controllers is okay without any error.

To check about this, we could run the below commands:

dcdiag /v /e>c:\temp\dcdiag.txt
repadmin /replsummary /bydst /bysrc >C:\temp\replsummary.txt
repadmin /showrepl * /csv >C:\temp\repall.csv

As for the certificate error, if possible, would you please share the screenshot of this error? So we could better understand this issue. Besides, may I know whether it is SSL self-signed certificate?

Looking forward to hearing from you. Thanks.

Best regards,
Hannah Xiong

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I checked for errors with commands you said and now we're checking for how to fix our errors, however, I attached all the reports so if you have time kindly check and say your opinion. (I changed server names to something obvious)
PS: The Skype server it's not available anymore.
about your certificate question, It's not a self-sign certificate and I get an error with every site that uses SSL, as the screenshot I attached and you can see I get certificate error with https://www.google.com
OS and Browser are up to date and region and time/date are correct.

Thank you for your time
111494-replsummary.txt


111467-dcdiag.txt


111495-repall.jpg

111532-cert-google.jpg


0 Votes 0 ·
replsummary.txt (568 B)
dcdiag.txt (61.4 KiB)
repall.jpg (315.5 KiB)
cert-google.jpg (101.1 KiB)
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Hi @MahyarS-7941,

Thank you so much for your kindly reply.

Due to security consideration, it is suggested not to post any logs here. As for the confidential information, it is suggested to make them blurred.

I have checked that there is nothing wrong with the AD replication. From the dcdiag report, there seems to be something wrong with SYSVOL replication. Would you please kindly run the below commands to check for more information?

Net share

dfsrmig.exe /getglobalstate

wmic /namespace:\\root\microsoftdfs path DfsrReplicatedFolderInfo get ReplicationGroupName, ReplicatedFolderName, State

As for the SSL certificate issue, it is showing that "This certificate cannot be verified up to a trusted certificate authority". I have found this documentation and hope it would be of some help.

https://techcommunity.microsoft.com/t5/iis-support-blog/you-get-a-security-alert-when-you-try-to-access-an-ssl-enabled/ba-p/348093#:~:text=You%20get%20%22%20This%20certificate%20cannot%20be%20verified,and%20users%20accessing%20the%20web%20site%20over%20Internet.

Best regards,
Hannah Xiong

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi
I'm sorry for not replying to you sooner.
I ran the commands and here what I get in result. (Same as before I changed those info specific to our network)

Net share
Share name Resource Remark


C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\domain.com\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
dfsrmig.exe /getglobalstate
Current DFSR global state: 'Eliminated'
Succeeded.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
wmic /namespace:\\root\microsoftdfs path DfsrReplicatedFolderInfo get ReplicationGroupName, ReplicatedFolderName, State
ReplicatedFolderName, State
ReplicatedFolderName ReplicationGroupName State
SYSVOL Share Domain System Volume 4
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
about our certificate problem, I try to push all the public certificates through group policy and see it can fix it or not

thank you for your time

0 Votes 0 ·

Hi,

Thank you so much for your kindly reply.

From the outputs of the commands, SYSVOL and Netlogon folders are shared and SYSVOL folder replication type is DFSR, which is must for the Windows server 2019 domain controller. Besides, the state of the SYSVOL replication is 4, which means normal. So from the commands, we could see that everything is okay.

To quickly test whether the SYSVOL replication is okay or not, we could try the below steps:

Pease kindly create a new folder or file under \\domain_name\Sysvol\domain_name\Policies. And then check whether this newly created folder or file could be replicated to the same path on other domain controllers.

113625-image.png

About the certificate problem, for any update, please keep us posted.

Thank you so much and have a wonderful day.

Best regards,
Hannah Xiong



0 Votes 0 ·
image.png (55.1 KiB)
MahyarS-7941 avatar image
0 Votes"
MahyarS-7941 answered

Hi
I checked the SYSVOL replication and it was ok.
about the certificate problem, now none of the domain clients get a certificate error because of the policy but the SSL sites became slow and don't work right!
I thought maybe the problem is our internet provider or our firewall config but no, if a client uses our network without joining our domain everything works perfectly, but if a joined client wants to work with the internet works badly! I even test a joined client out of our network with deferent internet but still works badly!

Thank you for your time.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hi @MahyarS-7941,

Thank you so much for your kindly reply.

As mentioned, the certificate error has been resolved because of the policy, but now our SSL sites became slow and do not work right.

Based on my understanding, we access the SSL site google.com via https. If so, it will verify the validity of the certificate. May I know whether we could successfully access the site finally? Or is there any error message we would see?

To figure out this issue, I would suggest capturing network trace and maybe CAPI2 logging for further analysis. Due to the security reason,I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:

https://support.serviceshub.microsoft.com/supportforbusiness

Thanks a lot and have a nice day.

Best regards,
Hannah Xiong

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MahyarS-7941 avatar image
0 Votes"
MahyarS-7941 answered

Hi @HannahXiong-MSFT
The certificate error it's gone but when you want to use a site with SSL, the website gets stuck on loading or maybe some part of that website load and not all of it.
Anyway thank you so much for your help

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered MahyarS-7941 commented

Hi @MahyarS-7941,

You are welcome. Thank you so much for your kindly reply.

So glad that the certificate error is gone. Based on the scenario we described, it is hard to judge the causes of the issue. And based on my understanding, it is more like a performance issue. Have we tried to use a different Browser to open the website?

Greatly appreciate your time and support.

Best regards,
Hannah Xiong

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HannahXiong-MSFT
Yes, I tested with FF, Edge, Chrome but the same problem exists!

Thank you for your time.

0 Votes 0 ·
MahyarS-7941 avatar image
0 Votes"
MahyarS-7941 answered

Hi @HannahXiong-MSFT
I'm sorry to bring up this topic again!
I see something new and thought I should update this topic
as you can see below I screenshot certificate of this site (https://docs.microsoft.com) in two different PC

1.PC Joined to our domain that has a problem

121327-incorrect.jpg

2.PC joined to a clean test domain

121326-correct.jpg

As you can see PC number 2 have the correct certificate but the certificate of PC number 1 is not correct at all! it's issued by PC itself not Microsoft and all the details are different.

both of the PCs use the same internet, same browser, same OS but performance of opening site like this topic is very different.
I think this problem is because of an old certificate authority that was in our domain and now it doesn't exist.

Do you have any thoughts?

Thank you for your time



incorrect.jpg (135.2 KiB)
correct.jpg (176.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.