Certificate Services did not start.
Certification authorities (CAs) need adequate system resources and operating system components to function. If a server has insufficient memory or hard disk space, or if operating system components become unavailable, attempts to start Active Directory Certificate Services (AD CS) can fail.
Correct general problems that prevent Active Directory Certificate Services from starting
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Fix general problems that can prevent Active Directory Certificate Services from starting
To fix general problems that can prevent Active Directory Certificate Services (AD CS) from starting:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
Check the status of the AD CS service. If the service is not running, attempt to restart it and observe if the error recurs or if other errors or warnings appear.
Restart the computer and try steps 1 and 2 again.
Check the event log message for a code that describes the specific reason that startup failed. If not, check the event log for additional errors and warnings preceding or following this error message and correct these errors.
If the problem persists and can reproduce the issue, use the following procedure, Create a CA debug log, to obtain additional information.
Create a CA debug log
To create a CA debug log:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.
Use the Certification Authority snap-in to restart the CA.
Reproduce the issue.
If the problem persists, contact Microsoft Customer Service and Support.
The %windir%\certsrv.log file contains advanced diagnostic information that may be useful if you need to contact Microsoft Customer Service and Support.
To confirm that the CA service is available:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -config <CAconfig> -ping and press ENTER.
CAconfig is the CA configuration string, in the form CAhostname\CAname.
Target | Microsoft.Windows.CertificateServices.CARole.2016 | ||
Category | EventCollection | ||
Enabled | True | ||
Event_ID | 63 | ||
Event Source | Microsoft-Windows-CertificationAuthority | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | High | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Application |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.63" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">63</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageIDb3ee1df594514fb0a9c9bbef46e0c374"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>