Today I decide I would add another Windows 2016 NPS server at our other datacenter for some redundancy. When I was doing my testing I got the following error.
At first I thought it was an issue with our offline root CA. For troubleshooting I turned the offline root CA. Hmm still getting the same issue. So I started looking at our sub certificate authority. After lunching Enterprise PKI mmc I saw the following. CDP Location #1 and #2 are saying “Unable to Download”
I fire up my web browser to go to http://pki.manualtokenring.com/cdp/MTRRootCA.crl and get a 503 from the web server. Hmm that strange…. Next place I decide to check is Internet Information Services (IIS) Manager. All web sites are online. Next I browse where the crl files are located. Everything looks to be ok.
After confirming the CRL is correct I restarted IIS. After restarting the IIS I could not get http://pki.manualtokenring.com/cdp/MTRRootCA.crl to load. Last thing to do was reboot the server. Sure enough after a reboot the server everything came back online. I hate to be that guy “Have you tried turning it off and back on” but this time it seem to resolve the issue.