none
Unable to modify Direct Access config

    Question

  • I've been playing around with setting up Direct Access with Server 2012.  I made a change to allow Windows 7 clients and selected an intermediate certificate authority.  I think I picked an incorrect intermediate CA...but now I cannot change the configuration.  When I launch the Remote Access Management Console, I get the message "Settings for the server myserver.mydomain.local cannot be retrieved.  The cmdlet did not run as expected."  I cannot modify any settings to fix the problem and cannot remove the role since the configuration exists.  Seems like it is just stuck.  Suggestions?

    Rob


    Rob

    Wednesday, June 20, 2012 2:40 PM

Answers

  • Hi,

    Can you try setting a new IPsec certificate using the Set-DAServer powershell cmdlet?

    Example usage:

    1. List root certificates using: "Get-ChildItem Cert:\LocalMachine\Root"
    2. Select the certificate you want: "$certificate = (Get-ChildItem Cert:\LocalMachine\Root)[IndexOfTheCertificateYouWant]
    3. Change the root certificate in the DA configuration: "Set-DAServer -IPsecRootCertificate $certificate"
    4. Now try to open the management console again.

    Let me know if this helps,

    Thanks,

    Yaniv

    • Marked as answer by Tiger Li Friday, June 22, 2012 5:27 AM
    Thursday, June 21, 2012 12:17 PM
  • Yaniv, that probably would have worked.  I ended up just starting over with a new VM.

    Rob

    • Marked as answer by Tiger Li Friday, June 22, 2012 5:27 AM
    Thursday, June 21, 2012 1:18 PM

All replies

  • Hi,

    Can you try setting a new IPsec certificate using the Set-DAServer powershell cmdlet?

    Example usage:

    1. List root certificates using: "Get-ChildItem Cert:\LocalMachine\Root"
    2. Select the certificate you want: "$certificate = (Get-ChildItem Cert:\LocalMachine\Root)[IndexOfTheCertificateYouWant]
    3. Change the root certificate in the DA configuration: "Set-DAServer -IPsecRootCertificate $certificate"
    4. Now try to open the management console again.

    Let me know if this helps,

    Thanks,

    Yaniv

    • Marked as answer by Tiger Li Friday, June 22, 2012 5:27 AM
    Thursday, June 21, 2012 12:17 PM
  • Yaniv, that probably would have worked.  I ended up just starting over with a new VM.

    Rob

    • Marked as answer by Tiger Li Friday, June 22, 2012 5:27 AM
    Thursday, June 21, 2012 1:18 PM
  • I had the exact same issue and your solution worked like a charm for me! Thanks!
    Thursday, September 06, 2012 12:31 PM
  • Same problem -- this fixed it! Thanks from me to!
    Tuesday, October 02, 2012 11:52 PM
  • Worked for me as well.
    Tuesday, November 20, 2012 9:56 PM
  • Yaniv,  

    This might be a silly question but what is the "[IndexOfTheCertificateYouWant]"? 
    Wednesday, November 28, 2012 5:50 PM
  • From the list returned from the first command just use the thumbprint of the one you want. For example if you wanted the MS Root (which you won't in practice) the first couple of commands would be as follows:

    PS P:\> Get-ChildItem Cert:\localMachine\Root
        Directory: Microsoft.PowerShell.Security\Certificate::localMachine\Root
    Thumbprint                                Subject
    ----------                                -------
    CDD4EEAE6000AC7F40C3802C171E30148030C072  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
    BE36A4562FB2EE05DBB3D32323ADF445084ED656  CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanvill...
    :
    :
    :
    PS P:\> $certificate = (Get-ChildItem Cert:\LocalMachine\Root\CDD4EEAE6000AC7F40C3802C171E30148030C072)
    PS P:\>


    Douks

    Thursday, November 29, 2012 9:54 AM
  • hi,

    same Problem here... i tryed that fix but  have ths error, iam a local admin, but no domain admin.

    Set-DAServer : Access is denied.
    At line:1 char:1
    + Set-DAServer -IPsecRootCertificate $certificate
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : PermissionDenied: (PS_DAServer:root/Microsoft/...ess/PS_DAServer) [Set-DAServer], CimExc
       eption
        + FullyQualifiedErrorId : HRESULT 80070005,Set-DAServer

    solved... forgot to run the poweshell with admin rights...
    • Edited by HAL2012 Monday, January 14, 2013 10:15 AM
    Friday, January 11, 2013 3:38 PM
  • Yaniv, you are Genius.  Thanks

    Wednesday, March 06, 2013 12:25 PM
  •  There is now a hotfix for this issue

     http://support.microsoft.com/kb/2796394

    Monday, March 18, 2013 9:03 PM
  • Yaniv's fix is exactly what the doctor ordered. Worked like a charm.

    TIP FOR SAVING TIME: In Server 2012 we right-clicked on PowerShell and used RUN ISE AS ADMINISTRATOR. With PowerShell ISE when you start typing in a command it will display matching commands in a pop-up menu. Use your arrows or click on the one you want and press <enter> to accept. Worked especially well for typing in the long certificate index (thumbprint). ISE saved us a lot of typing.

    THANK YOU YANIV!

    Friday, January 31, 2014 7:24 PM
  • I have the exact same error

    when I run the command on PS as admin I get the following output

    Set-DAServer : The system cannot find the file specified.
    At line:1 char:1
    + Set-DAServer -IPsecRootCertificate $certificate
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (PS_DAServer:root/Microsoft/...ess/PS_DAServer) [Set-DAServer], CimExcep
       tion
        + FullyQualifiedErrorId : HRESULT 80070002,Set-DAServer

    anyone? :( please help

    we reinstall the server from a clean ISO (2012 R2) and still same result


    Tamir Levy

    Monday, March 03, 2014 4:09 PM
  • Worked like a charm, thanks.
    Saturday, March 22, 2014 4:54 PM
  • I also managed to solved the problem though not with the fixes you've mentioned

    what I did was adding the SPN - Cifs\[domainfqdn] to the domain controller machine account with ADS

    hope it helps


    Tamir Levy

    Thursday, March 27, 2014 7:46 PM