Collection Rule for event with source CertificationAuthority and ID 28

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.28 (Rule)

Certificate Services did not start: registry problem.

Knowledge Base article:

Summary

Active Directory Certificate Services (AD CS) records critical configuration settings in the registry and may not start or function properly if this information becomes corrupted or is deleted.

Resolutions

Fix the CRLPeriod registry key

By default, certification authority (CA) registry configuration information is located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name.

If the event log message states that the CRLPeriod registry key is not valid, then you can update the registry entry with correct information.

The location of this registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\CRLPeriod.

Valid strings for this value are "Seconds," "Minutes," "Hours," "Days," "Weeks," "Months," and "Years."

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To resolve registry-related problems:

On the computer hosting the CA, click Start, type regedit, and press ENTER.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\CRLPeriod and correct the invalid registry configuration settings that you find.
Click Start, point to Administrative Tools, and click Certification Authority.
Right-click the CA name, and click Restart.

Additional

To confirm the certification authority (CA) registry settings:

After you have finished making any changes to registry settings for the CA, click Start, point to Administrative Tools, and click Certification Authority.
Select the CA name, and click Restart.
Click Start, type cmd and press ENTER.
Type certutil -getreg ca\security and press ENTER.
If there are no more corrupt settings, the text -getreg command completed successfully will appear.

Element properties:

Target

Microsoft.Windows.CertificateServices.CARole.2016

Category

EventCollection

Enabled

True

Event_ID

Event Source

Microsoft-Windows-CertificationAuthority

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Remotable

True

Alert Message

AD CS Registry Settings - Invalid CRL period

Event Description: {0}

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default
WriteToCertSvcEvents	WriteAction	Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher	Default
WriteToDB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.28" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">28</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageID5ccff8704e364cdf96a7e34d3b709f87"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>