Lync 2013 – RTCSRV Frontend Service failing to start “showing as starting” PART 2 Certificate Store issue

Hello All

Here we are again for another blog post on a similar issue i posted about previous which was the RTCSRV service on the Lync 2013 front ends not starting.

This particular post is relating to the same RTCSRV service but this specific issue is Windows 2012 / r2 server build centric.

Ok so what was the problem.?? in both Standard and Enterprise edition builds you’ve ran through each element without issue, then you come to starting the services and bam, all of services start apart from the RTCSRV service which sits cycling on ‘starting’, so the first port of call for any issue like this is the event logs. At this point i was expecting the same damn issue with the quorum recovery due to the lync build still being RTM (not patched).

So after a quick glance at the event logs i ran in the updates to the topology. Jan 2014 updates. i then tried again with the service starting, and again it was stuck still cycling on the RTCSRV service. At this point i jumped back to the event logs as I’ve found that following the lync RTM build the information becomes a lot more ‘richer’ in content. As it happens this was the case, there was an error in the logs around certificates.? yet my installation was using an internal CA so why should i be getting these errors?

I checked the Internal CA for correct marking and trust, which all ticked out ok and then my next step was around certificates in general and the way windows 2012/r2 sees them differently. What i mean by this is the certs in the personal, intermediate and trusted root stores on windows 2008r2 server could in some cases be totally wrong and the lync services would start without issue. In Windows 2012/r2, Microsoft has done a lot of work around the certificate stores on the 2012 server build and put a lot more strict requirements within them. for example having a intermediate cert in the trusted root will throw an error in the event log. having duplicate trusts in the root trust will throw an error in the event log. etc etc

so what was the issue in my case. ? it was one i had seen before in a deployment and one which was totally unrelated to Lync and the Lync RTCSRV service. 

In the trusted root folder all certificates have to have a matching subject and issuer name or again an error would be thrown.. AND also having such an issue will stop the RTCSRV from starting for Lync.!!! crazy you might say.!

***What does Microsoft say about this.. Below

this is the event error in question

so to find this out there is a simple powershell command to run to identify this mismatched information on the trusted root certs.

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\temp\certinformation.txt”

Once you have the information from your txt file, jump over to MMC and the certificate store and locate these certs in the root CA and move them to the intermediate store. Once you completed this close powershell and reopen to recycle the powershell information and rerun the command again. This time around you should have no information in your txt file.

Now if your running Standard edition simply start your fronted services.. If your running the enterprise edition, i would personally run the quorum recovery command to bring your fronted into sync, this will also start the services.

Thats it. i hope this has help other out 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s