Step 16 - Change Timeout on Certification Path Validation Settings

Applies To: Windows Server 2008, Windows Server 2008 R2

This step explains how to change the default path validation cumulative retrieval timeout from 20 seconds to 2 seconds. This is required because the servers do not have access to the internet. If this gpo setting is not changed then the AD RMS Bulk Protection Tool will fail when attempting to activate the FCI server. This is only required because the server does not have internet access.

To change the Default Path Validation Cumulative Retrieval Timeout

  1. Log on to the Server as Administrator.

  2. Click Start, select Administrative Tools, and click Group Policy Management.

  3. Expand Forest:, expand Domains, expand, right-click Default Domain Policy, and then select edit. This will bring up the Group Policy Management Editor.

  4. On the left, expand Computer Configuration, expand Windows Settings, expand Security Settings, and click Public Key Policies.

  5. On the right, right-click Certificate Path Validation Settings and click Properties. This will bring up the Certificate Path Validation Settings Properties.

  6. On the Certificate Path Validation Settings screen, click the Network Retrieval tab.

  7. On the Network Retrieval screen, place a check in Define these policy settings and in the middle, change Default path validation cumulative retrieval timeout (in seconds) to 2.

  8. Click Apply and Ok. This will close the Certificate Path Validation Settings.

  9. Close Group Policy Management.

Refresh the policy on the FCI server

  1. Log on to the Server as Administrator

  2. Click Start, and click Command Prompt. This will open a command prompt window.

  3. From the command prompt, type gpupdate /force and hit Enter. Once this is complete is should say that the user and computer policies were updated successfully.

  4. Close the Command Prompt.