Collection Rule for event with source CertificationAuthority and ID 63

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.63 (Rule)

Certificate Services did not start.

Knowledge Base article:

Summary

Certification authorities (CAs) need adequate system resources and operating system components to function. If a server has insufficient memory or hard disk space, or if operating system components become unavailable, attempts to start Active Directory Certificate Services (AD CS) can fail.

Resolutions

Correct general problems that prevent Active Directory Certificate Services from starting

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Fix general problems that can prevent Active Directory Certificate Services from starting

To fix general problems that can prevent Active Directory Certificate Services (AD CS) from starting:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
Check the status of the AD CS service. If the service is not running, attempt to restart it and observe if the error recurs or if other errors or warnings appear.
Restart the computer and try steps 1 and 2 again.
Check the event log message for a code that describes the specific reason that startup failed. If not, check the event log for additional errors and warnings preceding or following this error message and correct these errors.
If the problem persists and can reproduce the issue, use the following procedure, Create a CA debug log, to obtain additional information.

Create a CA debug log

To create a CA debug log:

On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.
Use the Certification Authority snap-in to restart the CA.
Reproduce the issue.
If the problem persists, contact Microsoft Customer Service and Support.

The %windir%\certsrv.log file contains advanced diagnostic information that may be useful if you need to contact Microsoft Customer Service and Support.

Additional

To confirm that the CA service is available:

On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -config <CAconfig> -ping and press ENTER.

CAconfig is the CA configuration string, in the form CAhostname\CAname.

Element properties:

Target

Microsoft.Windows.CertificateServices.CARole.2016

Category

EventCollection

Enabled

True

Event_ID

Event Source

Microsoft-Windows-CertificationAuthority

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Remotable

True

Alert Message

AD CS Program Resource Availability - Generic startup failure

Event Description: {0}

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default
WriteToCertSvcEvents	WriteAction	Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher	Default
WriteToDB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.63" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">63</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDb3ee1df594514fb0a9c9bbef46e0c374"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>