Share via

Windows Admin Center Can't Access .local Domain After .com Cert Install

Joe Hinkle 0 Reputation points
2025-11-04T18:08:47.92+00:00

This is a new install of Admin Center. I initially installed it using the self signed cert and setup our new cluster. So I can see several servers and they are currently working as of this writing.

Our domain is .local. But I installed a wildcard *.domain.com cert onto the server and created an A record in a split brain zone in AD. I loaded the cert in using the below commands and I can log in via the Web GUI using the new cert.

Import-Module "$env:ProgramFiles\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration"

Set-WACCertificateSubjectName -Thumbprint "myThumprint"

Set-WACCertificateAcl -SubjectName "CN=myDomain.com"

Restart-Service -Name WindowsAdminCenter

I have manually added the Network Service account to the certs security in Cert Management. When I try to do anything with Active Directory in Admin Center I get the below message:

{9ADBDFDE-77EB-48CE-B875-5A1F19D7DE29}

If I try to manually add a server I get this message:

{DAD4D384-C13C-401E-A83C-B72FD777837D}

I am thinking that the issue is now it's trying to look for my domain at .com. Even though we have our domain setup with an alias for m365 you can't use it to find servers and talk to AD. Has anyone done something similar where they use a .com cert on a .local domain?

I will continue troubleshooting but at this point I opened up perms on the new cert all the way so I don't believe it's a permission issue.

{F9B3EC20-46F6-4CB2-8C28-BD15D45FFB9C}

Any ideas on how to fix this? I may revert to self signed to see if it works.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kate Pham (WICLOUD CORPORATION) 430 Reputation points Microsoft External Staff Moderator
    2025-11-28T08:00:21.4233333+00:00

    Hi Joe,

    Thank you for your contribution and for sharing answer—it’s greatly appreciated! Apologies for the delay in getting back to you.

    The error message indicates that Windows Admin Center cannot search Active Directory.

    Allow me to share some other possible causes as bellow:

    • Invalid certificate
      • A certificate might be invalid. This shows as "invalid certificate."
      • Even if you don't see an error on WindowsAdminCenter event log, the browser could indicate invalid certificate status as icon at the address bar. WACv2 can't be used if an invalid certificate is used when communicating with the sub processes.
      • You shouldn't generate a self-signed certificate because it's a security issue.
    • Mismatched DNS name
      • The certificate DNS name might be different from the WAC DNS name.
      • If this isn't resolved then WAC might not work or bring errors.
    • Wrong or inaccurate thumbprint
      • Check that the thumbprint is present, correctly registered, and doesn't match what is expected. WAC might not detect the certificate.
    • Private Key not configured to be accessed by the network service
      • HTTPS protocol layer reads private key of certificate to encrypt TLS payload when communicating over HTTPS protocol.
      • WAC uses Network Service account, so Private Key must be accessible by Network Service. Use certlm.msc tool to select All Tasks menu to open Manage Private Keys... dialog.
      • Make sure NETWORK SERVICE is configured to access the private key.
    • Network, Policy and Firewall configuration issues
      • If you restrict TLS communications, then the WAC Gateway might not be able to access the certificate. This might be firewall or GPO issue.

    Resolution:

    • Ensure the Windows Admin Center server is joined to your Active Directory domain.
    • Verify your user account has the necessary permissions to access and read from Active Directory.
    • Confirm the certificate installed is valid for the server’s FQDN.
    • Make sure the Network Service account has access to the certificate’s private key for secure communication.

    Your note about rerunning the installer and updating the FQDN during the custom install option is an excellent tip for resolving domain type mismatches (.local to .com).

    Here's the official article according to question: https://v4.hkg1.meaqua.org/en-us/windows-server/manage/windows-admin-center/configure/update-certificate?tabs=powershell

    Thanks again for your dedication to Learn community!

    If you believe this information adds some value, please accept the answer so that your experience with the issue would help contribute to the whole community.

    Regards,

    1 person found this answer helpful.
    0 comments
  2. Joe Hinkle 0 Reputation points
    2025-11-04T18:25:36.0866667+00:00

    I should have waited to post this as I've now found the answer. The issue appears to be a FQDN that needed updated.

    It appears that you can't change domain type, .local to .com, via CLI. You need to rerun the installer and use the custom install option. After you import the cert you will be prompted with a FQDN page. Make sure to change .local to .com on that page and when the server finishes setting up again it will work.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.