certutil -ping fails with 30 seconds timeout - what to do?

Posted by mark on Server Fault See other posts from Server Fault or by mark
Published on 2010-12-30T11:27:00Z Indexed on 2012/11/01 23:06 UTC
Read the original article Hit count: 797

The certificate store on my Win7 box is constantly hanging. Observe:


C:\>1.cmd

C:\>certutil -?   | findstr /i ping
  -ping             -- Ping Active Directory Certificate Services Request interface
  -pingadmin        -- Ping Active Directory Certificate Services Admin interface

C:\>set PROMPT=$P($t)$G

C:\(13:04:28.57)>certutil -ping
CertUtil: -ping command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:04:58.68)>certutil -pingadmin

CertUtil: -pingadmin command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:05:28.79)>set PROMPT=$P$G

C:\>

Explanations:

  • The first command shows you that there are –ping and –pingadmin parameters to certutil
  • Trying any ping parameter fails with 30 seconds timeout (the current time is seen in the prompt)

This is a serious problem. It screws all the secure communication in my app. If anyone knows how this can be fixed - please share.

Thanks.

P.S.

1.cmd is simply a batch of these commands:

certutil -? | findstr /i ping
set PROMPT=$P($t)$G
certutil -ping
certutil -pingadmin
set PROMPT=$P$G

EDIT1

I have succeeded to pin down the single windows API that causes the problem - DsGetDcName

According to the windbg, the certutil -ping invokes it like so:

PDOMAIN_CONTROLLER_INFO pdci;
DWORD ret = ::DsGetDcName(NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdci);

On my workstation it times out for 30 seconds and then returns error code 1355, which is ERROR_NO_SUCH_DOMAIN No domain controller is available for the specified domain or the domain does not exist.

On another machine, which is accidentally a windows server 2003, it returns almost immediately with the correct domain controller name inside the returned DOMAIN_CONTROLLER_INFO structure.

Now the question is what is missing on my workstation for that API to find the correct domain controller?

© Server Fault or respective owner

Related posts about security

Related posts about windows-7