locked
Cloud Connector error. Write Error Root CA RRS feed

  • Question

  • Installing an HA cloud connector site. First connector installed fine, but have an extra machine on the topology. During the publish-ccappliance I got this:

    WARNING: Machine MediationSrv02.domain.net from the current topology has been removed from the topology you are now publishing. This machine was not found in Active Directory and will result in errors as publish attempts to remove the Skype for Business Server attributes from the machines in Active Directory. WARNING: "Publish-CsTopology" processing has completed with warnings. "1" warnings were recorded during this run.

    mediationsrv02 is for the second cloud connector appliance (the one that won't install at all). Not sure where it got that name from. Besides this, the first appliance has an extra machine called "mediationserver.domain.net). that name is not declared in the INI file, not sure where it came from. The mediation server is called Mediationsrv01.domain.net, so I'm not sure where the mediationserver.domain.net came from. 

    on the second appliance, I get this error when trying to install-ccappliance:


    CheckRootCA : There are existing appliance(s) deployed in current topology, but the root CA doesn't exist in shared folder. Please run 'Publish-CcAppliance' on existing appliance(s) and then run this cmdlet again on current appliance. At C:\Program Files\WindowsPowerShell\Modules\CloudConnector\Install-CcInstance.ps1:199 char:9 + CheckRootCA $MediationServers + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,CheckRootCA

     

     needless to say I have already ran the publish-ccappliance on the first appliance.

    Any suggestions would be appreciated.

    Thanks.

    FR

    Tuesday, July 11, 2017 8:34 PM

Answers

  • Hi devo,

    It seems like a certificate issue that the certificate of Edge Server cannot be saved to file share according to the error message.

    May I know how did you set the path for the external Edge certificate on both appliances? Did you define the certificate target, either EdgeServer or MediationServer?

    And did you define certificate paths saved in "C:\ProgramData\CloudConnector\module.ini"?
    ExternalCertificateFilePath.
    GatewayCertificateFilePath.

    Please take a look at following link.
    Skype for Business Cloud Connector Version 1.4.2 Release- Improvements in 1.4.2
    https://blogs.technet.microsoft.com/sfbhybridvoice/2017/03/20/skype-for-business-cloud-connector-version-1-4-2-release/


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by henghenghahi Monday, July 31, 2017 9:33 AM
    • Proposed as answer by henghenghahi Friday, August 11, 2017 11:18 AM
    • Marked as answer by devo Monday, August 14, 2017 1:57 PM
    Monday, July 31, 2017 9:32 AM

All replies

  • Hi devo,

     

    May I know how do you add an appliance to an existing site?

     

    We need to run the Register-CcAppliance cmdlet on newly added host server, and then run Publish-CcAppliance cmdlet to update the topology on existing appliance, finally run Install-CcAppliance cmdlet only on newly added host server.

     


    Wednesday, July 12, 2017 10:11 AM
  • Hello Molly.

    that's what we are doing. Still, I have the same error on second appliance...

    Wednesday, July 12, 2017 3:54 PM
  • Hi devo,

    Please confirm that the site directory exists and is correctly configured for HA support. If you are deploying High Availability (HA) for the site, make sure set the Site Directory to the same location on each host server within the site, and the shared folder that is accessible by the second host server in the same site.

    Also, please check Configure and DNS record.


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, July 14, 2017 11:59 AM
  • Molly. thanks so much for the reply.

    I do have the same sharefolder name in the .ini file....burt I'm not 100% sure what you mean by:

    Please confirm that the site directory exists and is correctly configured for HA support. If you are deploying High Availability (HA) for the site, make sure set the Site Directory to the same location on each host server within the site, and the shared folder that is accessible by the second host server in the same site.


    Tuesday, July 18, 2017 8:43 PM
  • Molly....ignore previous reply. I followed the instructions on preparing the first appliance. Sitedirectory set as a share on the main appliance.  I double check the share was reachable from the second (HA) appliance.

    Deployed the connector, no errors. Ran the publish-ccAppliance command, no errors.

    On secondary Appliance ran the register-ccAppliance, no errors

    When I run publish-ccappliance, still getting the same error stated on the opening of this thread.

    suggestions? thanks in advance!

    Tuesday, July 18, 2017 11:06 PM
  • Hi devo,

    Based on my research, I would suggest you:

    1.Check whether the current version of two appliances is version 1.4.2.

    2.Check the external Edge certificate and the external PSTN gateway/SBC certificate in shared folder:

    If you have updated to Cloud Connector version 1.4.2, make sure your prepared external certificate contains private keys and the full certificate chain including the root CA certificate and the intermediate CA certificates.

    If you have NOT yet updated to Cloud Connector version 1.4.2, make sure your prepared external certificate contains private keys. This external certificate must be issued by a Certificate Authority that is trusted by Windows by default.

    3.Launch Tenant Remote PowerShell using your Skype for Business tenant admin credentials, then run the following cmdlet to check whether the second appliance has been registered.

    Get-CsHybridPSTNAppliance



    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 19, 2017 7:40 AM
  • Hello Molly. Thanks so much for helping out.

    I completely removed Cloud Connector and now working on a fresh 1.4.2 install. When Installing the first appliance I get this error:

    Save C:\cce\ApplianceRoot\Cache\Certificates\Internal\SfB CCE Root.p12 to file share \\10.10.110.27\cce\SiteRoot\CA. Install-InccInstance : C:\cce\ApplianceRoot\Cache\Certificates\Internal\SfB CCE Root.p12 doesn't exist. At C:\Program Files\WindowsPowerShell\Modules\CloudConnector\Install-CcInstance.ps1:244 char:5 + Install-InccInstance -Config $config -SkipExistingObjects $SkipExistingObjec ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-InccInstance

     

     

    The certificate is not being copied to the shared folder..that's wha I get the error on the second appliance.

    can't find any reason or further error information for this.

    Wednesday, July 26, 2017 4:39 PM
  • Hi devo,

    It seems like a certificate issue that the certificate of Edge Server cannot be saved to file share according to the error message.

    May I know how did you set the path for the external Edge certificate on both appliances? Did you define the certificate target, either EdgeServer or MediationServer?

    And did you define certificate paths saved in "C:\ProgramData\CloudConnector\module.ini"?
    ExternalCertificateFilePath.
    GatewayCertificateFilePath.

    Please take a look at following link.
    Skype for Business Cloud Connector Version 1.4.2 Release- Improvements in 1.4.2
    https://blogs.technet.microsoft.com/sfbhybridvoice/2017/03/20/skype-for-business-cloud-connector-version-1-4-2-release/


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by henghenghahi Monday, July 31, 2017 9:33 AM
    • Proposed as answer by henghenghahi Friday, August 11, 2017 11:18 AM
    • Marked as answer by devo Monday, August 14, 2017 1:57 PM
    Monday, July 31, 2017 9:32 AM
  • Hello Molly.

    just a quick update. After publishing the first appliance and running the "install-CCappliance" I was getting the error noted before. The next day I came in and re-ran the command and worked without problems. Seems like there is a "delay" or time to wait for the publishing of the first appliance to actually spread or settle. 

    I ran the publish-ccappliance again and the certificate was exported properly and I was able to install de HA unit.

    thanks for your support!!

    Monday, August 14, 2017 1:56 PM
  • Hi devo,
     
    Thank you for your sharing. Glad to see the issue has been resolved by yourself!
     
    Have a nice day!


    Best Regards,

    Molly Wu
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 15, 2017 12:05 PM