Set Up Your Domain Name wizard fails on Windows SBS 2011 Essentials

Article ID: 2657665 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

On a Windows Small Business Server 2011 Essentials, "Set Up Your Domain Name" wizard may fail with the following warning:

The domain name was not set up for your server. Wait a few minutes and run the wizard again. An unexpected or unknown problem occurred. Please wait a few minutes, and then try again.

SharedServiceHost-DomainManagerServiceconfig.log complains about the certificate as:
[11520] 111219.110731.9957: DomainManager:Service: CommitDomain failed with exception: DomainManagerFault:[Reason:CertificateNotTrusted, Message:Certificate is not trusted, Detail:Certificate of System.Security.Cryptography.X509Certificates.X500DistinguishedName is not a trusted certificate in this machine ]
[3348] 111219.110731.9957: DomainManager:CheckCertificateExpirationTask: CheckCertificateExpirationTask action called
[3348] 111219.110731.9957: DomainManager:CheckCertificateExpirationTask: Certificate expiration threshold: 30.00:00:00
[11520] 111219.110731.9957: DomainManager: Throwing FaultException with detail DomainManagerFault:[Reason:CertificateNotTrusted, Message:Certificate is not trusted, Detail:Certificate of System.Security.Cryptography.X509Certificates.X500DistinguishedName is not a trusted certificate in this machine ]
[3348] 111219.110731.9957: DomainManagerObjectModel: DomainMaintenanceManager ctor called. InstanceID=47664838
[3348] 111219.110731.9957: DomainManager:DefaultCertificateServiceProvider: IsCertificateNearExpiration called for domain SERVER with threshold 30.00:00:00
[3348] 111219.110731.9957: DomainManager:DefaultCertificateServiceProvider: FindCertificateForDomain called for domain SERVER
[11520] 111219.110731.9957: ProviderFramework: Information: [0] : ExceptionScreener._ScreenForExceptions: Operation "CommitDomain" threw a FaultException<DomainManagerFault>: (FaultException<DomainManagerFault>) The creator of this fault did not specify a Reason.
[11520] 111219.110731.9957: ProviderFramework: Information: [0] : ProvideFault called for exception: (FaultException<DomainManagerFault>) The creator of this fault did not specify a Reason.
[11520] 111219.110731.9957: ProviderFramework: Information: [0] : PfErrorHandler: IGNORING WCF internal exception: (FaultException<DomainManagerFault>) The creator of this fault did not specify a Reason.


CAUSE

This problem occurs when the Trusted Root Certification Authority fails to install during the domain name setup. That is, if "Get a personalized domain name from Microsoft" is chosen in the options available, the third level domain, e.g. contoso.remotewebaccess.com, fails to install the "Go Daddy Class 2 Certification Authority" on the server.

Please note that Root CA could be different depending on the Domain Name Service Provider. In this article the option "Get a personalized domain name from Microsoft" and the Root CA "Go Daddy Class 2 Certification Authority" is referred throughout.


RESOLUTION

On a fresh install of Windows SBS 2011 Essentials, "Go Daddy Class 2 Certification Authority" certificate is not installed by default. It gets installed when a domain name is set up using a Live ID. The Root CA will show up in the Certificates console if it was installed by the "Set Up Your Domain Name" wizard.

To confirm the certificate installation, open MMC on the affected server. Check the console for the "Go Daddy Class 2 Certification Authority" in the following two locations:

1. Computer Account:
a. Click "Add/Remove Snap-ins" on the Console and choose "Certificates" snap-in.
b. Add "Computer Account". Choose “Local Computer”.
c. Expand "Certificates - Local Computer" on the console.
d. Click to look in the "Certificates" under “Trusted Root Certification Authorities”.

2. Service Account:
a. Click "Add/Remove Snap-ins" on the Console and choose "Certificates" snap-in.
b. Add "Service Account". Choose to manage the “Local computer”.
c. Select "Windows Server Domain Name Management" from the list of Service accounts.
d. Back on the console, expand “Certificates - Service (Windows Server Domain Name Management) on Local Computer”.
e. Click to look in the "Certificates" under “DomainManagerProviderSvc\Trusted Root Certification Authorities”.

If the Go Daddy Root CA does not show up in these locations, try to browse https://www.godaddy.com using Internet Explorer. Refresh the Certificates console, it should now show up. Additionally, the following event will be logged in the Event Viewer:

Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 20-Dec-11 10:03:34 PM
Event ID: 4097
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: server.contoso.com
Description:
Successful auto update of third-party root certificate:: Subject: <OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US> Sha1 thumbprint: <2796BAE63F1801E277261BA0D77770028F20EEE4>.


If the Root CA does not install:
1. Check for the correctness of:
a. Time Zone
b. Time
c. Date
Certificates are validated by the system date and time. Ensure that all of the above attributes are accurate on the system where the Root CA is being installed. The machine may require a reboot after correcting these settings.

At this time the wizard should run fine. Additionally, you may also:

2. Make sure that Windows Update is running fine.
3. Refer to the CAPI2 errors in the Event Viewer.

Once the above steps have been accomplished, the wizard will run successfully.


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2657665 - Last Review: December 21, 2011 - Revision: 4.1
APPLIES TO
  • Windows Small Business Server 2011 Essentials
Keywords: 
KB2657665

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com