Certificate Services service was stopped
Certification authorities (CAs) need adequate system resources and operating system components to function. If a server has insufficient memory or hard disk space, or if operating system components become unavailable, attempts to start Active Directory Certificate Services (AD CS) can fail.
Restart the certification authority
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To correct the service shutdown:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
Locate the Active Directory Certificate Services (AD CS) service.
Confirm that AD CS is not running, and then attempt to restart the service.
If the service does not start, restart the computer, then try to restart AD CS again.
If the problem is not resolved, you can use the following procedures, Create a debug log and Enable CryptoAPI 2.0 Diagnostics, to compile information that will be useful if you need to contact Microsoft Customer Service and Support.
Create a debug log
To create a debug log:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.
Click Start, point to Administrative Tools, and click Services.
Select the Active Directory Certificate Services service, and click Start.
When you have reproduced the issue, locate the certsrv.log file containing advanced diagnostic information in the %windir% directory.
When you have finished generating the diagnostics, disable debugging by opening a command prompt window.
Type certutil -delreg ca\debug and press ENTER.
Enable CryptoAPI 2.0 Diagnostics
To enable CryptoAPI 2.0 Diagnostics:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
Right-click Operational, and click Enable Log.
Click Start, point to Administrative Tools, and click Services.
Right-click Active Directory Certificate Services, and click Restart.
To confirm that the CA service is available:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -config <CAconfig> -ping and press ENTER.
CAconfig is the CA configuration string, in the form CAhostname\CAname.
| Target | Microsoft.Windows.CertificateServices.CARole.2016 | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event_ID | 38 | ||
| Event Source | Microsoft-Windows-CertificationAuthority | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | High | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
Home
ENU <Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.38" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">38</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageID389c65a60547472c94bd08b22f4e565f"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
</WriteAction>
</WriteActions>
</Rule>