Certificate Services could not start: security permissions have been corrupted.
Active Directory Certificate Services (AD CS) records critical configuration settings in the registry and may not start or function properly if this information becomes corrupted or is deleted.
Fix certification authority security permissions
Information about essential security permissions is stored in the registry and is needed for a certification authority (CA) to function properly.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To resolve security permission problems:
Confirm that security descriptors have been corrupted.
If you have a backup of the registry, restore registry settings from the backup.
If you have a backup of the CA, you can restore the CA from the backup.
If the restore procedure fails, create a CA debug log and contact Microsoft Customer Service and Support. For more information, see http://go.microsoft.com/fwlink/?LinkId=89446.
Confirm security descriptor corruption
To confirm that CA security descriptors have been corrupted:
Open a command prompt window.
Type certutil -getreg ca\security and press ENTER.
Restore CA registry settings
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To restore registry settings from a hive file:
On the computer hosting the CA, click Start, type regedit, and then press ENTER.
Select the keys in which you want to restore the hive.
On the File menu, click Import, and then select the drive, folder, or network computer and folder in which the hive is located.
In Files of type, click Registry Hive Files, and select the correct file name for the hive.
Click Open. When a message appears indicating that the hive has been successfully imported, click OK.
Restore a CA from a backup
Note: To complete this procedure, you need to have created a backup of your CA prior to the failure, including registry settings, private key and CA certificate, certificate database, and database log.
To restore a CA:
If you had to reinstall Windows, apply all current service packs and security updates before restoring the CA, and reinstall Active Directory Certificate Services (AD CS).
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click the name of the CA, and click Stop.
Import the registry hive for the CA by using the previous procedure.
In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA.
When the Certification Authority Restore Wizard starts, click Next, and then click Private keyand CA certificate.
Click Certificate database and certificate database log.
Type the backup folder location, and then click Next.
Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.
Click Finish, and then click Yes to restart AD CS.
Create a CA debug log
To create a debug log:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.
Click Start, point to Administrative Tools, and click Services.
Select the Active Directory Certificate Services service, and click Start.
When you have reproduced the issue, locate the certsrv.log file containing advanced diagnostic information in the %windir% directory.
When you have finished generating the diagnostics, open a command prompt window, type certutil -delreg ca\debug and press ENTER to disable debugging.
To confirm the certification authority (CA) registry settings:
After you have finished making any changes to registry settings for the CA, click Start, point to Administrative Tools, and click Certification Authority.
Select the CA name, and click Restart.
Click Start, type cmd and press ENTER.
Type certutil -getreg ca\security and press ENTER.
If there are no more corrupt settings, the text -getreg command completed successfully will appear.
| Target | Microsoft.Windows.CertificateServices.CARole.2016 | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event_ID | 95 | ||
| Event Source | Microsoft-Windows-CertificationAuthority | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | High | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
| WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
Home
ENU <Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.95" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">95</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageID28e38c0808c649d7b7063997775b7a66"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>