Keeps failing on the creation of the CNAME record in the InstallSubCA Action

[vennemp]

Why even create the CNAME?

Also I would recommend using CIMSessions for creating DNS records on remote DNS servers. May submit a pull request. But this step seems totally unnecessary and is causing the deployment to fail.

[vennemp]

Manually creating the PKI record or naming the SubCA "PKI" seems to resolve this.

[girvenj]

What is the error it get when it tries to create the record. There should be something in CW logs. The reason to use an CNAME is if you decide to move you CRL you do not have to re-issue all of your certs since the CRL location is part of the cert. I would like to troubleshoot this instead of removing it.

[girvenj]

I should comment out the Exit 1. That way if the record is not there. it will still proceed and not fails the whole deployment.

[vennemp]

That actually makes sense - never re-named a CA so never came across that issue. Not sure what failed. This was a pretty fresh deployment into an existing VPC with Directory Service configured. Simply creating the DNS record (or naming the server PKI) fixed the issue.

This is what was in the SSM Automation step output.

Getting AD domain information
Getting a Domain Controller to perform actions against
Adding computer account to elevated permission group for install
Sleeping to ensure replication of group membership has completed
Clearing all SYSTEM kerberos tickets
Enabling CredSSP
Enabling CredSSP
Setting CredSSP Registry entries
Creating PKI CNAME record
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
CNAME record missing.
Disabling CredSSP
Disabling CredSSP
Removing CredSSP Registry entries
CNAME record never created

----------ERROR-------
[SUBCA1] Connecting to remote server SUBCA1 failed with the following error message : The client cannot connect to the 
destination specified in the request. Verify that the service on the destination is running and is accepting requests. 
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or 
WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure 
the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SUBCA1:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken
[SUBCA1] Connecting to remote server SUBCA1 failed with the following error message : The client cannot connect to the 
destination specified in the request. Verify that the service on the destination is running and is accepting requests. 
Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or 
WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure 
the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (SUBCA1:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : CannotConnect,PSSessionStateBroken
[SUBCA1] Connecting to remote server SUBCA1 failed with the following error message : The client cannot connect to the 
destination specified in the request. Verify that the service on the destination is running and is acceptin
---Error truncated----

[vennemp]

Thanks for following up btw!

[vennemp]

#44

I created a pull request to address this with your recommendations.