Possible issue with Get-CertificationAuthority on remote CA

Jul 14, 2015 at 6:06 PM
Hello

Sometimes when I run Get-CertificationAuthority is takes a minutes to complete (other times it comes back quicker)

when this happens I sometimes see the

IsAccessible false
RegistryOnly True
ServiceStatus Running

If I then logon to the remote CA and run the same command I see

IsAccessible true
RegistryOnly True
ServiceStatus Running

If I use the GUI admin tools (e.g. CertSrv) on the local CA and retarget the remote CA the remote CA responds in a timely fashion and I can see its certs etc.

So I am wondering what types of issued could be causing Get-CertificationAuthority to sometimes take minutes to return and believe the remote CA is IsAccessible = false

I assume it may be DCOM issues or perhaps the DCOM method code used to get the CA status e.g. IsAccessible

Are there any registry settings I can change to make this communication faster/more reliable or could there be the underlying method (I am assuming a COM/DCOM method) which is a bit flakey against CA on other side of a WAN

It looks like you have created your own types and the type in question here is

PKI.CertificateServices.CertificateAuthority::GetCA("Name",$Name)

Any advice most welcome, as I need to connect to the remote CA to check various things.

Thanks again
Ernie
Jul 15, 2015 at 7:01 AM
Hello Again

I ran the same command this morning Get-CertificationAuthority early in the morning when the Network is quite and it responded in a timely fashion and showed IsAccessible True

Therefore I am wondering if the issue is DCOM (assuming it is DCOM) is having issued when WAN is busy and can I do any thing on my Windows Servers (or within PowerShell script) to make the underlying mechanisms used by Get-CertificationAuthority more reliable/responsive over a WAN.

Thank you
Ernie
Coordinator
Jul 15, 2015 at 1:33 PM
Yes, the code internally attempts to contact CertSvc service over DCOM and depending on network connectivity/speed/load may consume some time. If the connection succeeds, then IsAccessible property is set to True, otherwise (when underlying connection times out) False. As the result, there is nothing you can do with your machines, as it is up to network connectivity and latency.
Marked as answer by Camelot on 11/8/2015 at 11:01 PM
Jul 21, 2015 at 6:51 AM
Thanks very much V