1
00:00:08,170 --> 00:00:16,300
Trouble shooting a disease begins with the built in tools that give administrators a detailed view into

2
00:00:16,300 --> 00:00:20,280
the current conditions of ADC s role services.

3
00:00:20,500 --> 00:00:29,500
The following list describes a few tools that you can use cert snap in use this snap in to view and

4
00:00:29,530 --> 00:00:39,860
manage certificates two hours for a computer user or service because I view DOD MSE use this console

5
00:00:39,860 --> 00:00:51,430
to monitor multiple C CRL and area locations and to manage ADC as objects that are published to aided

6
00:00:51,500 --> 00:00:55,790
years certification authority council.

7
00:00:56,100 --> 00:01:05,490
Use this console to administer a C and to revoke and enroll a certificate their certification authority.

8
00:01:05,490 --> 00:01:15,270
Council also allows you to manage the certificate templates that are available on a C the next tool

9
00:01:15,270 --> 00:01:18,800
is sort to your teal dot the exit.

10
00:01:18,810 --> 00:01:27,990
Use this command line tool to display C configuration information to configure ADC s and to back up

11
00:01:27,990 --> 00:01:38,730
and restore C components and to verify certificates key bearer or sound certificate change certificate

12
00:01:38,760 --> 00:01:48,410
templates snapping using SNAP in to analyze and manage the certificate templates in ADR sound to configure

13
00:01:48,420 --> 00:01:52,210
their permissions and other worry parvo.

14
00:01:52,230 --> 00:02:02,010
Powerful tool is Windows power Shell of course you can use only ADC s deployment and ADC as administration

15
00:02:02,370 --> 00:02:12,280
and pick UI modules in Windows power shell as their replacement or complement to the tools listed above.

16
00:02:13,520 --> 00:02:20,540
By taking advantage of Windows power shell module functionality you can rights groups to automatically

17
00:02:20,540 --> 00:02:31,510
test and verify your ADC as configuration and another tool is the group policy management council and

18
00:02:31,840 --> 00:02:41,290
Jabil result don't exceed tools they can be help and they can help you verify the correct application

19
00:02:41,290 --> 00:02:51,780
of group policy so objects and with them in which configure auto enrolment or other PGI related settings.

20
00:02:51,790 --> 00:03:01,040
Now let's review the Common ADC s issues the following list describes common ADC US issues that you

21
00:03:01,040 --> 00:03:09,880
can might that you might encounter users saw computers do not automatically enroll for certificates

22
00:03:09,970 --> 00:03:19,240
as expected and the reasons could be because you enable auto enrolment through group policy and you

23
00:03:19,240 --> 00:03:26,880
should verify that the GPO is that enable auto enrolment for users and computers are a.

24
00:03:27,100 --> 00:03:35,770
Auto enrolment correctly and that the user a computer is not in an in an organizational unit where a

25
00:03:35,770 --> 00:03:43,120
policy inheritance has been blocked or overridden by another GPO.

26
00:03:43,330 --> 00:03:51,550
Both the user and computer must be enabled separately although both certain can reside in the same GPO

27
00:03:53,470 --> 00:04:00,540
then you should reverse verify that a disease is published is published in the certificate template

28
00:04:00,740 --> 00:04:06,230
to an enterprise C that can be accessed by the computer or user.

29
00:04:07,350 --> 00:04:15,120
Then you should verify that the computer or user have the request certificates permission on the CIA

30
00:04:15,420 --> 00:04:23,850
and to the alternate route permission on the certificate template in question and finally you should

31
00:04:23,850 --> 00:04:31,980
verify that the requested certificate template does not require information that ADT s cannot supply

32
00:04:31,980 --> 00:04:43,150
automatically and other common issue is that you cannot configure auto enrolment permissions on a template

33
00:04:43,630 --> 00:04:51,910
for you to configure auto enrolment against a certificate the template must be version to or later and

34
00:04:52,240 --> 00:05:01,170
you can only add version to templates to a C that is running Windows Server 2000 aid enterprise or later

35
00:05:02,800 --> 00:05:07,780
next one is the Enterprise C option is unavailable.

36
00:05:07,780 --> 00:05:15,340
This occurs when a user who is not a member of the enterprise segments or domain admins group installs

37
00:05:15,470 --> 00:05:17,500
AC as such.

38
00:05:17,620 --> 00:05:21,590
The C must not install as an enterprise c.

39
00:05:21,670 --> 00:05:29,800
In this case the enterprise C option is unavailable and information about the C can not automatically

40
00:05:29,800 --> 00:05:33,930
published to aid it is the next issue.

41
00:05:33,980 --> 00:05:39,230
You receive an error when accessing C weapon Roman pages.

42
00:05:39,230 --> 00:05:42,760
This secures while accessing C pages.

43
00:05:42,830 --> 00:05:50,580
In this case you should ensure that the user is a member of the administrator or a sound or power user

44
00:05:50,660 --> 00:05:54,750
group on the client computer.

45
00:05:54,830 --> 00:05:59,720
The next issue is that the enrollment agent is a restricted.

46
00:05:59,720 --> 00:06:09,430
This occurs when an enrollment agent can not enroll on behalf of a user for a specific certificate template.

47
00:06:09,440 --> 00:06:17,720
This might a cure because of the restrictions that were configure tell the enrollment agent or the lack

48
00:06:17,720 --> 00:06:25,490
of enrollment permissions on the certificate template some words about troubleshoot and will addition

49
00:06:25,510 --> 00:06:34,470
issue all certificates have a well validity period after all the validity period expires.

50
00:06:34,480 --> 00:06:41,830
The certificate is no longer an accessible credential glam computer computers might not be able to connect

51
00:06:42,070 --> 00:06:51,370
to resources that require a certificate even a certificate validation problem secure ADC s services

52
00:06:51,370 --> 00:07:01,800
can stop or fail to run if problems solve for availability validity and chain validation for the C certificate

53
00:07:01,800 --> 00:07:14,510
a cure you can use PGI view tool to verify that the EIA and CRL said applications and certificates are

54
00:07:14,510 --> 00:07:15,100
well it.

55
00:07:15,680 --> 00:07:25,040
Additionally you can use the C is near being to install new certificates next up we'll be talking about

56
00:07:25,310 --> 00:07:27,620
renewing as C certificate.