Certificate Services did not start: external policy module.
The policy module contains the set of rules governing issuance, renewal, and revocation of certificates. This policy is created from hard-coded values, registry settings, and, if you are using an enterprise certification authority (CA), certificate templates. The policy module determines whether a certificate request is approved, denied, or marked as pending for an administrator to approve or deny. Problems detected with a policy module can cause a CA to fail to start or to cease functioning.
Enable AD CS to load a policy module
The AD CS policy modules must have sufficient memory and disk space to start correctly. If the policy modules did not start, resolve this error by :
Initializing the policy module.
If this does not resolve the error:
Identify the policy module name and contact the vendor for support.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Initialize a policy module
To enable Active Directory Certificate Services (AD CS) to initialize a policy module:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Reliability and Performance Monitor.
Check memory usage on the computer and, if necessary, add system resources.
Restart the computer and CA.
If the policy module is not loaded and the warnings cannot be resolved by addressing related symptoms, there is likely a problem with the policy module that only the vendor can address. Therefore, identify the name of the policy module and contact the vendor for support.
For a non-Microsoft policy module, contact the policy module provider for assistance.
For a Microsoft policy module, contact Microsoft Customer Service and Support. For more information, see http://go.microsoft.com/fwlink/?LinkId=89446.
Identify the policy module name
To identify the policy module name:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click the name of the CA, and click Properties.
Click the Policy Module tab, and then click Properties.
Write down the identifying information for the policy module
To confirm that the policy module is operational:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
Right-click the Active Directory Certificate Services (AD CS) service, and click Restart.
Open the event log, and confirm that it does not contain any errors relating to the policy module.
Errors relating to the policy module are:
Event 9: Source: Microsoft-Windows-CertificationAuthority. "Active Directory Certificate Services did not start: Unable to load a policy module."
Event 43:Microsoft-Windows-CertificationAuthority. "The "%1" policy module "%2" method caused an exception at address %4. The exception code is %3."
Event 44:Microsoft-Windows-CertificationAuthority. "The "%1" policy module "%2" method returned an error. %5 The returned status code is %3. %4"
Event 77:Microsoft-Windows-CertificationAuthority. "The "%1" policy module logged the following warning: %2"
Event 78:Microsoft-Windows-CertificationAuthority. "The "%1" policy module logged the following error: %2"
| Target | Microsoft.Windows.CertificateServices.CARole.2016 | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event_ID | 9 | ||
| Event Source | Microsoft-Windows-CertificationAuthority | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | High | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
| WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
Home
ENU <Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.9" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">9</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageIDb8ee865c4c31494b9bb9b9e18f36ec20"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>