Powered by
J.C. Hornbeck
J.C. Hornbeck
J.C. Hornbeck
J.C. Hornbeck
J.C. Hornbeck
J.C. Hornbeck
J.C. Hornbeck
J.C. Hornbeck
DPM Certificate Troubleshooting–Part 3: Certificates
Hello, Shane Brasher here once again, following up
with Part 3 of “DPM Certificate Authentication Troubleshooting”.
In this session we will go over some common symptoms you may see if the certificate is missing or is invalid. This is assuming that after you have installed the certificate, run all the proper commands and even have protection group set up, then later something has happened to the certificate itself.
Member Server with its certificate missing
This error is what you will likely see if AFTER cert protection is setup is done and then the cert is missing or corrupt.
DPM Management Tab-Agent status
MemberServer Application Alerts—Event ID 85
MemberServer DPMRACurr.errlog
****************************
5BD3AD20-B2AF-4D1F-95B6-B WARNING Failed: Hr: = [<font color="#ff92004] : Error locating certificate with thumbprint 2ba53e0056bdde64a7fca789c62abd72a3f57610
5BD3AD20-B2AF-4D1F-95B6-B WARNING Failed: Hr: = [0x] : Encountered Failure: : lVal : CertificateUtil::GetCertificateContext(hCertStore, ssThumbprint, &pCertContext)
WARNING Failed: Hr: = [0x] : Error locating certificate with thumbprint 2ba53e0056bdde64a7fca789c62abd72a3f57610
WARNING Failed: Hr: = [0x] : Encountered Failure: : lVal : CertificateUtil::GetCertificateContext(hCertStore, ssThumbprint, &pCertContext)
WARNING OuterException of type System.InvalidOperationException from Method = GetCertificateFromStoreCore
WARNING Exception Message = Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue '2ba53e0056bdde64a7fca789c62abd72a3f57610'.
Note: The highlighted portion shows that there is an issue with finding the thumbprint for the certificate.
Member Server DPM CPWrapper Log—Cert is missing and the CP Wrapper Service restarted.
******************************
WARNING Exception Message = Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue '2ba53e0056bdde64a7fca789c62abd72a3f57610'.
WARNING Exception Stack = at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
WARNING Caught unhandled exception : System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue '2ba53e0056bdde64a7fca789c62abd72a3f57610'.
CRITICAL Exception Message = Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue '2ba53e0056bdde64a7fca789c62abd72a3f57610'. of type System.InvalidOperationException, process will terminate after generating dump
Also if the Protected server cert if removed upon a reboot or the restart of the DPM CPWrapper service you may see the following error.
Solution: If the member server has it’s certificate missing then the following will need to be done.
1.) If the cert is backed up to a safe location, import the certificate into the proper computer\personal store and restart the DPMCPWrapper service. If you do not have a backup of the certificate then proceed to the next step.
2.) Request a new certificate making sure to specify the correct cert attributes and that it is placed into the computer\personal store.
3.) Re-run the SetDPMServer commands to recreate the memberserver bin file. Copy the bin file to the DPM server. Once done re-run the Attach-ProductionServerWithCertificate.ps1 on the DPM server. Please reference the resource link below.
Important: There may be times to where you may still have to reboot both the member server and the DPM server.
DPM Server With Missing Cert
This scenario will go over symptoms when the DPM server certificate is missing.
If the DPM server is missing its certificate then you will see this in the DPM gui on the agent refresh.
DPM Monitoring tab
******************
Note the 3301 error which means the certificate is invalid.
DPM Alerts Event Log
******************
Note: The 33301 equates to the certificate is invalid.
MSDPMCurr.errlog snippet
***********************
cmdprocforcertificate.cpp(331) [F4F50] WARNING CCommandProcessor::SendOutboundCommandUsingCertificate failed for Server:
WARNING ConfigureProtection.OnFailure.AADeactivationBlock.RAForRead.PT : RADeleteWorkItem, StatusReason = Timeout (StatusCode = -, ErrorCode = WCFClientCertificateInvalid, workitem = a1e5773c-a587-4788-a7fb-622f6bf7341e)
5A0AC966-C3A0-4D24-95FF-E96FD0DE04DA WARNING CheckTimeoutMessage: code[0x], detailedCode[0x], errMgs[Unknown error (0x<font color="#ff09) (0x)]
5A0AC966-C3A0-4D24-95FF-E96FD0DE04DA WARNING &ErrorInfo ErrorCode=&<font color="#ff& DetailedCode=&-& DetailedSource=&2& ExceptionDetails=&& xmlns=&/2003/dls/GenericAgentStatus.xsd&&
5A0AC966-C3A0-4D24-95FF-E96FD0DE04DA WARNING &Parameter Name=&machinename& Value=&& /&
5A0AC966-C3A0-4D24-95FF-E96FD0DE04DA WARNING &Parameter Name=&exceptionmessage& Value=&Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue '994b424d93fc08e4fe88c7ee095cda'.& /&
DPMCPWrapperServiceCurr.errlog
=============================
This may be seen upon restarting the DPMCPWrapper service if the cert is missing.
everettexception.cpp(761) CRITICAL Exception Message = Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindByThumbprint', FindValue 'c8ccf847ae8d319691feea1d6f796f0d67fdc7c4'. of type System.InvalidOperationException, process will terminate after generating dump
Note the message in regards to generating a dump. This dump (crash log) will be located in the following directory: %Program Files%\Microsoft System Center 2012\DPM\DPM\Temp. The dump file will have a name of “DPMCPWrapperServiceCurr.errlog._18_06_16.Crash
Solution: If the DPM Certificate is missing, then please follow the steps below.
1.)If the cert is backed up to a safe location, import the certificate into the proper computer\personal store and restart the DPMCPWrapper service. If you do not have a backup of the certificate then proceed to the next step.
2.)Request a new certificate for the DPM server making sure to specify the correct cert attributes and that it is placed into the computer\personal store.
3.) Re-run the SetDPMCredentils commands to recreate the DPM bin file. Copy the bin file to the member server. Once done re-run the SetDPMServer command on the member server to generate this bin file. Copy the member server bin file to the DPMserver.
4.) On the DPM server re-run the Attach-ProductionServerWithCertificate.ps1 command.
Please reference the resource link below.
Important: This is considered a very bad situation. As if you have many servers you are protecting via certificate based authentication and the DPM cert is missing, it will be like starting all over again. You will have to:
a.) Generate the DPM bin file
b.) Copy it to each server that you were protecting via cert authentication.
c.) run the setdpmserver command
d.) take each server bin file to the DPM server.
e.) on that DPM server run the attach command.
This will have to be done for each server that you are protecting with certificate authentication. Naturally if you are protecting 100 servers via cert then this can be very labor intensive.
As a precautionary measure I strongly suggest that you export your DPM and member server certificates and save them in a safe location.
Expired Certificate
MemberServer Cert Expired
If the certificate has expired on the protected server then you will see the following errors.
DPM Management Tab-Agent Status
DPM Monitoring Tab
=================
DPMRACurr.errlog
================
415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD FATAL &Status xmlns=&/2003/dls/StatusMessages.xsd& StatusCode=&-& Reason=&Error& CommandID=&RAReadDatasetDelta& CommandInstanceID=&80b-4a64-bea0-1c661101dbe5& GuidWorkItem=&856c0da1-fad7-46ba-a215-db95b90de630& TETaskInstanceID=&415bf1bd-04ef-486c-a8d0-0c6a8e8e0bbd&&&ErrorInfo xmlns=&/2003/dls/GenericAgentStatus.xsd& ErrorCode=&& DetailedCode=&-& DetailedSource=&2&&&Parameter Name=&AgentTargetServer& Value=&&/&&/ErrorInfo&&RAStatus&&RAReadDatasetDelta xmlns=&/2003/dls/ArchiveAgent/StatusMessages.xsd& BytesTransferred=&0& NumberOfFilesTransferred=&0& NumberOfFilesFailed=&0& DataCorruptionDetected=&false&/&&/RAStatus&&/Status&
415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING Failed: Hr: = [<font color="#ff90328] : Encountered Failure: : lVal : hr
415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING Logging event for error: 33302, detailed: 0xa61590
415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING Failed: Hr: = [0x] CCmdProcEvent::GetEventId: unexpected errorCode: detailed hr: 0x00a61540
Note: The error codes - and 0x basically translates to
SEC_E_CERT_EXPIRED
# The received certificate has expired.
The error code 33302 is the service authentication failed.
DPM SERVER with Cert Expired
If the certificate has expired on the DPM server the you will see an error like this.
DPMRCurr.errlog
ExceptionPolicy.cs(169) WARNING InnerException of type System.IdentityModel.Tokens.SecurityTokenValidationException from Method = Build
02F8 094C 05/02 17:32:29.282 04 ExceptionPolicy.cs(174) WARNING Exception Message = The X.509 certificate CN= chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
02F8 094C 05/02 17:32:29.282 04 ExceptionPolicy.cs(174) WARNING Exception Stack = at System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2 certificate)
02F8 094C 05/02 17:32:29.282 04 cmdprocforcertificate.cpp(232) [B6FB90] 415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING Failed: Hr: = [0x] pDpmCmdProcObject-&SubmitResponse failed on server , hrOriginal = 0x, No further retry
02F8 094C 05/02 17:32:29.282 04 cmdprocforcertificate.cpp(331) [B6FB90] 415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING CCommandProcessor::SendOutboundCommandUsingCertificate failed for Server:
02F8 094C 05/02 17:32:29.282 04 cmdproc.cpp(2631) [B6FB90] 415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING Logging event for error: 33302, detailed: 0xa61590
02F8 094C 05/02 17:32:29.282 04 events.cpp(89) [A2FF90] 415BF1BD-04EF-486C-A8D0-0C6A8E8E0BBD WARNING Failed: Hr: = [0x] CCmdProcEvent::GetEventId: unexpected errorCode: detailed hr: 0x00a61540
DPM DPMCPWrapperServiceCurr.errlog
CertificatesHelper.cs(498) NORMAL Certificate with subject: CN= and thumbprint: 02EDED5EF19163ED1 is not valid
0AD0 0C3C 05/02 18:07:28.110 09 CertificatesHelper.cs(503) WARNING Flags = NotTimeValid, Info = A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
0AD0 0C3C 05/02 18:07:28.110 09 CertificatesHelper.cs(166) WARNING The certificate with subject: CN= is not trusted
DPM CPWrarpper Error logs codes
For Client related errors (33300 – 33302) refer to dpmra*.errlog or msdpm*.errlog.
For service side errors (33303 – 33304) look up failures in dpmcpwrapperservice*.errlog
For PKI related issues, the Crypto API Event log is a very useful way to figure out what went wrong during certificate validation. This event log is available from Windows Vista onwards.
Configuration Step Errors
33231 : Certificate not found in Personal Store of “LocalMachine” StoreLocation.
33232 : Exception trying to locate a certificate.
33233 : Exception encountered trying to validate certificate.
33234 : The certificate is invalid.
33235 : Error trying to add a firewall rule.
33236 : Error trying to configure DpmCPWrapperService.
33237 : The generic fall back error.
33241 : No .NET 3.5 SP1 detected on the machine (seen only by SetDpmServer.exe).
Errors during business continuity
33300: Configuration errors in the WCF Client config file. (dpmra.exe.config or msdpm.exe.config).
33301: Client certificate is invalid.
33302: The service authentication failed.
33303: The client was not authorized by the service.
33304: The WCF Service is in a bad state. Some possible reasons can be:
a.) Service not running on the remote peer.
b.) Crash in the WCF Service.
c.) WCF unresponsive to client requests leading to Timeouts.
d.) Generic communication failures.
e.) Authentication failure of the client on the service side.
f.) Missing Registry keys
Conclusion: It is imperative that your Certificate infrastructure is extremely solid with a good connection to the CRL for both the DPM server and the member server. In addition there needs to be a stable link between the DPM server and the member server. Once the certs are in place they should be left alone and not need to be altered in any manner. Of course its best to be prepared with a contingency plan should things go awry. As mentioned earlier, its suggested to export your certificates for safe keeping should you have to recover from a missing certificate.
Appendix A
CAPI2 Event Logging
If you are facing repeated authentication failures, refer CAPI2 event viewer logs on both DPM and protected computer. This is not enabled by default. To enable it navigate to:
Event Viewer\Applications and Service Logs\Microsoft\CAPI2
Then right click on “Operational” and select “Enable Log”.
Once done reproduce the problem.
Going into the details of the properties we can see:
This tells us the CRL server cannot be reached.
4.) Make sure the DPM CPWrapper Service is started and set to “Automatic”. If it is not, then restart the service and test your Attach then OR your connectivity via cert usage.
Additional Resources
Microsoft Root Certificate Program :
How to use certificates to authenticate computers in workgroups or untrusted domains with Data Protection Manager :
Shane Brasher | Senior Support Escalation Engineer
Get the latest System Center news on
App-V Team blog:
ConfigMgr Support Team blog:
DPM Team blog:
MED-V Team blog:
Orchestrator Support Team blog:
Operations Manager Team blog:
SCVMM Team blog:
Server App-V Team blog:
Service Manager Team blog:
System Center Essentials Team blog:
WSUS Support Team blog:
The Forefront Server Protection blog:
The Forefront Endpoint Security blog :
The Forefront Identity Manager blog :
The Forefront TMG blog:
The Forefront UAG blog:
Your comment has been posted. &
Thank you, your comment requires moderation so it may take a while to appear. &
Leave a Comment详解System Center大管家如何打理企业IT
&&& DPM 2007备份SQL&&& DPM 2007是System Center的成员之一，它的设计目的是帮助IT专业人员管理Windows Server架构。产品最早于2006年9月发布，现在推出了Beta 2版本，DPM 2007为Windows备份与恢复建立了新的标准——通过在DPM服务器上无缝集成第二块硬盘和磁带方案，为微软应用程序和文件服务器提供持续的数据保护。DPM利用先进技术确保了各种规模的企业可以实现快速而可靠的数据恢复。高级SQL Server 设置&&& 微软设计的DPM 2007为Microsoft SQL Server提供了最全面的备份和最可靠的恢复。DPM 2007关注于微软服务器的主要工作负荷，特别为保护和恢复SQL Server，Microsoft ExchangeServer、SharePoint Portal Server、Microsoft Virtual Server以及Windows文件服务而创建。此外，DPM 2007结合了持续数据保护（CDP）与传统磁带备份的最佳特性。DPM 2007在DPM服务器上为核心微软服务器工作负荷提供持续的保护，通过基于磁盘的恢复和基于磁带的长期归档存储，提供了完整的数据保护和恢复解决方案。高级SQL Server 设置&&& DPM 2007 专为数据库管理员或者IT 专家而设计。DPM 采用与用户访问数据相同的关联方式提供数据保护。在DPM 2006 中，通过“数据保护向导”选择文件共享即可实现对文件服务器的保护。在DPM 2007 中，SQL Server 数据库和Exchange 存储组采用了同样的选择和保护方式。&&& 这次DPM不仅仅能备份Windows系统，还可以备份SQL，当然保护和恢复Windows系统也是它的职责所在，不过具体的配置和应用现在可查内容还不多，我们还得再等等。&&&& 今天与大家一起分享了System Center这个IT大管家里“仆人们”的名称和职责。企业需要更优的IT管家来管理庞大的数据。
第5页：DPM 2007备份SQL
DellVostro成就VS是成就系列全新产品，严格...[]
如今智能手机上照片处理应用多如牛毛，很多应用甚至...[]
对于很多企业用户来说，一款专业的高端全彩商务好手...[]
很多政府机构、机关单位乃至企业每天都要面对海量文...[]
华为荣耀6Plus采用5.5英寸TFT材质的1080P多点触控电...[]
如果想在怀孕期间聆听宝宝声音怎么办？现在有了专门...[]
热门文章排行榜
& & & & & & & & & &VMware vSphere 5.1 群集深入解析（十六）-DPM介绍 - 谷普下载 |
| 您所在的位置： >
> VMware vSphere 5.1 群集深入解析（十六）-DPM介绍VMware vSphere 5.1 群集深入解析（十六）-DPM介绍编辑：心海恋&&&&来源：gpxz&&&&更新：&&&&人气：加载中...&&&&字号：|标签：&&&&&&&&&&&&
DRS（分布式调度）第七章 DPM在VI3.5环境中，引入了分布式电源管理（DPM）。DPM供给了通过动态调整来匹配虚拟机需求，以达到节省电力的目的，DPM自动整合虚拟机到较少的ESXi主机上，并对一定周期内资源利用率低的多于ESXi主机执行断电，如果资源需求增加，ESXi主机重新通电回到，虚拟机重新分配到群集内所有可用的ESXI主机上。开启DPMDPM默认是被禁用的，你可以在选择电源管理模式手动或者自动的时候开启，DRS必须作为DPM的先决条件，，因为DPM依赖于DRS迁移群集内的虚拟机。图89：DPM设置电源管理自动级别DPM能设置成手动或者自动模式，群集内所有的主机将继承默认群集设置，但DPM设置最好在主机级别配置，主机级别设置可以覆盖群集的默认设置。一个原因说明覆盖默认群集DPM，那就是虚拟机模板的位置，在主机关闭之前，DPM影响DRS迁移其上所有的虚拟机，的模板不会被，这意味着模板位于ESXi主机待机模式下，而我们无法访问主机处于待机模式下的模板。基本原则在主机上注册了虚拟机模板，请关闭其DPM功能。每个电源管理模式操作区别：禁用：无电源建议通知手动：产生电源建议，用户必须手动确认建议自动：产生电源建议，并且不需要用户介入，自动执行建议DRS和DPM管理模式是不同的，可以彼此区分：当DRS设置成自动模式，DPM可以设置成手动，反之亦然，当DRS和DPM生成建议，每个管理模式的组合导致不同的行为，如虚拟机的初始位置，迁移建议和操作。请记住，一定的组合，虽然有效，但没有太大的意义实现。表22：DPM和DRS组合DPM的目标是保持在一个具体时间范围内的群集的使用率，但同时考虑各种群集设置，当产生DPM建议时，需要考虑虚拟机设置和需求。当DPM已经断定了主机需要处理的资源需求最大值和虚拟机的HA需求，在目标主机进入待机模式之前，它利用DRS去分配虚拟机位置。本文出自 “virtualbox” ，请务必保留此出处
评论列表（网友评论仅供网友表达个人看法，并不表明本站同意其观点或证实其描述）
分类选择您可能在找这些预拌砂浆抹灰 DPM5.0 散装(干拌)价格
北京北京市
北京德力克斯建筑材料有限公司
预拌1:2水泥抹灰砂浆
1:2水泥砂浆
天津天津市
天津市天狗装饰化工有限公司
干混抹灰砂浆
浙江杭州市
杭州晨宇建材有限公司
干混抹灰砂浆
浙江杭州市
杭州天翔新型建材有限公司
抹灰砂浆DP20 袋装
北京北京市
北京吉泰峰新型建筑材料制作有限公司
干拌抹灰砂浆
广东深圳市/
干拌抹灰砂浆
广东深圳市/
干拌抹灰砂浆
广东深圳市/
干拌抹灰砂浆
广东深圳市/
干拌抹灰砂浆
广东深圳市/
干粉 外墙找平砂浆
干粉 外墙找平砂浆
干粉 外墙找平砂浆
干粉 外墙找平砂浆
干粉 外墙找平砂浆
相关供应商推荐
主营材料：水泥砂浆
主营材料：
主营材料：胶黏剂 通用涂料
主营材料：
主营材料：
主营材料：普通混凝土
主营材料：水泥砂浆
主营材料：水泥砂浆 特种砂浆 其它砂浆
相关材料价格推荐
预拌砂浆抹灰 DPM5.0 散装(干拌)价格相关推荐：
使用造价通：轻松解决预拌砂浆抹灰 DPM5.0 散装(干拌)材价相关四大问题
材料查价问题
国标智能分类，预拌砂浆抹灰 DPM5.0 散装(干拌)市场价、信息价、参考价、行情趋势、供应商报价应有尽有。
材料询价问题
询价圈大量专业预拌砂浆材料工程师团队,即时为您解答预拌砂浆抹灰 DPM5.0 散装(干拌)相关询价问题，让您省时又省心！
储存与安全问题
大数据、云存储、云管理、云安全技术，完美解决信息被盗、商机外漏等风险。时时护航预拌砂浆抹灰 DPM5.0 散装(干拌)相关材价数据储存及安全问题。
成本控制问题
一站式数据管理模式,可降低企业成本80%以上.有效解决企业人力,时间,系统自建,数据管理,信息风险以及相关预拌砂浆抹灰 DPM5.0 散装(干拌)材价数据等成本问题。
价格常见问题
什么是、、？
网站常见问题