WORKAROUND #1:
Copy the certificates from Console A to Console B:
If using RMAD 10.0.1 or earlier:
- On the Forest Recovery console server that is connecting properly to the DC's, launch MMC.exe
- Go to File and then Add/Remove Snapin
- Add Certificates for the local computer
- Expand Certificates | Personal | Certificates
- Right click on each certificate (Console and Agent) and go to All Tasks and then Export
- Repeat steps 1-2 on the other RMADFE server(s)
- Expand Certificates | Personal | Certificates
- Deleted the existing Console and Agent certificates
- Import the certificates exported from the first RMADFE server. Ensure you select to make the certificate Exportable in the Import Wizard
- Once the certificates from the first RMADFE server have been imported, the agents can be managed from the other RMADFE server(s). Agents can then be deployed from any RMADFE server, provided they are all using the same set of certificates
If using RMAD 10.1 or later:
- Open the Forest Recovery Console on the first FR server
- Open the FR Console
- Click Tools | Fault Tolerance | Export secure communication keys
- Click Browse to select a path to store the exported keys
- For the password type RMAD
- Copy the pfx file to the other FR servers
- Open the FR Console on the other FR servers
- Click Tools | Fault Tolerance | Import secure communication keys
- Select the copied pfx file
WORKAROUND #2:
Uninstall the existing forest recovery agent and then manually install it using "RecoveryAgent64.exe" from within the download package of the product. The FR Console will then not use Schannel to authenticate with the FR agents. Note: The FR Console can be used to redeploy the agents using the following steps:
- Open regedit and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Dell\Recovery Manager for Active Directory - Create a DWORD value: RpcAuthType
- Set it to 9 for Negotiate, or 10 for NTLM only
- Delete the RMAD secure communication keys from the RMAD server by opening a command prompt, navigating to the RMADFE installation path and running the command RegisterCertificate.cmd /u
- You can then use the FR console to remove and reinstall the FR agents on each of the DCs.
WORKAROUND #3:
Disable schannel and revert to using NTLM as the default authentication method as the product was using prior to 8.8.
- Open regedit and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Dell\Recovery Manager for Active Directory - Create a DWORD value: RpcAuthType
- Set it to 9 for Negotiate, 10 for NTLM only, or 15 for Schannel
- Restart the Console
- Delete both the console and agent certificates from the Local Computer | Personal Certificates store
- One of the following needs to be performed on the DCs:
- Create the same reg key on the DCs
- Remove the cert from agent installation folder (C:\Program Files\Dell\Recovery Manager for Active Directory Forest Edition) on the DC, either by manually deleting it, or by reinstalling the agent from the FR console.
In 10.1 Certificate export from the console has been introduced with a separate tool involved it exports key to install FR agent using following syntax:
CreateCommunicationKeys.exe -a -e: -p:RMAD
But it might fail if keys (AgentCommunicationKeys.rmad and ConsoleCommunicationKeys.rmad) has not been created during the upgrade with:
May 13 08:10:18.337 [6384:0019] INFORMATION: AgentInstaller.ExportCertificate(): Waiting for CreateCommunicationKeys.exe for exit..
May 13 08:10:18.407 [6384:0019] INFORMATION: AgentInstaller.ExportCertificate(): CreateCommunicationKeys.exe exit code = 20
May 13 08:10:24.497 [6384:0019] VERBOSE: AsyncOperation.HandleCompletion(): Operation completed? True Status=Faulted Id=59316518
May 13 08:10:24.497 [6384:0019] INFORMATION: DCOperation.ProcessStateChange(): Operation InstallAgent state changed to: Failed
May 13 08:10:24.498 [6384:0019] ERROR: DCOperation.ProcessStateChange(): System.ApplicationException: Forest Recovery agent is stopped or not installed.
bei QuestSoftware.RecoveryManager.AD.Agents.ComputerInfoRetriever.GetComputerInfo(ComputerDetails details, CancellationToken token, AgentCommunicationService service)
bei QuestSoftware.RecoveryManager.AD.ForestOperations.DC.GetComputerInfo(ComputerDetails details, AgentAccessData accessData, CancellationToken token)
bei QuestSoftware.RecoveryManager.AD.ForestOperations.DCBase.RefreshDcInformation(ComputerDetails details, CancellationToken ct)
bei QuestSoftware.RecoveryManager.AD.ForestOperations.DC.b__f(CancellationToken ct)
bei QuestSoftware.RecoveryManager.AsyncOperations.AsyncOperation.<>c__DisplayClass2.b__0()
bei System.Threading.Tasks.Task.Execute()
this can be done by running CreateCommunicationKeys.exe -u
to export keys from the certificate store to corresponding files.