HP Integrity Superdome 2 User Manual page 180

is operating properly on a Domain Controller (for example, a Certificate has been issued to it),
you are prompted by the Security dialog whether you want to proceed with accessing the site or
view the certificate. If you click Yes, nothing happens. The test is intended to make the Security
Dialog prompt appear. A server not accepting connections on port 636 displays the "page
cannot be displayed" message. If this test fails, it means that the Domain Controller is not
accepting SSL connections, possibly because a certificate has not been issued. This process is
automatic, but might require a reboot.
To avoid a reboot, do the following:
1. On the Domain Controller, load the "Computer Account" MMC Snap-in, and then navigate
to the Personal->Certificates folder.
2. Right-click the folder, and then select Request New Certificate. The type default is already
"Domain Controller".
3. Click Next, and then repeat until the Domain Controller issues the certificate.
Another method for troubleshooting SSL is to go to the DC, and then run the following command:
C:\netstat -an | find /i "636"
If the server is listening for requests on port 636,the following response appears:
TCP 0.0.0.0:636
One of the problems can be that the domain controllers have not auto-enrolled. The DCs can take
up to 8 hours to auto-enroll and get their certificates issued because MS uses GPO to make the
DCs aware of the newly installed CA. You can force this by running DSSTORE -pulse from the
DCs (the tool is located in the w2k reskit). It is triggered by winlogon. Therefore for auto-enrollment
to function, you must log off and then log on again. The certificates appear automatically in the
CAs Issued Certs list. Make sure the CA is not listing them in Pending Certs. If it is, change the CA
to auto-issue certificates when a request comes in. If the auto-enrollment feature still does not
function, request the certificate:
1. On the Domain Controller, open MMC, and then add Certificate Snap-in (Computer Account).
2. Navigate to Personal, and then right-click the folder.
3. Click Request New Cert, and then click Next.
4. Enter a name for the certificate.
If an RPC error occurs, be sure that the CA is listed in DNS and that the CA is running.
If the wizard does not start, force the server to see the CA and then enable the wizard to run.
To speed up the GPO process and make the DCs acknowledge the CA, use one of the following
commands:
Windows 2003: Gpupdate /force
Windows 2000: Secedit /refreshpolicy machine_policy /enforce
Be sure that the Onboard Administrator has all the appropriate network settings unique to your
network (such as DNS) and that the time and date are correct (certificates are date sensitive). Be
sure that Onboard Administrator can reach the DNS server (by pinging it from the Onboard
Administrator CLI).
If LDAP is enabled while booting into Lost Password mode, the local Administrator password is
reset, LDAP is disabled, and local login is re-enabled.
If the nested groups function is not displayed properly, verify the Domain Functional Level. Windows
2000 and Windows 2003 domain controllers, by default, are placed in function level 2000 mixed.
When using this functional level, you cannot add or nest local groups.
180 Enabling LDAP Directory Services Authentication to Microsoft Active Directory
0.0.0.0:0 LISTENING