Certificate Services did not start: service thread.
Certification authorities (CAs) need adequate system resources and operating system components to function. If a server has insufficient memory or hard disk space, or if operating system components become unavailable, attempts to start Active Directory Certificate Services (AD CS) can fail.
Fix problems with AD CS service threads
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To resolve service thread problems that prevent Active Directory Certificate Services (AD CS) from starting:
Check the event log message, as well as any additional messages, preceding or immediately following this one for additional information.
Use the Reliability and Performance Monitor to assess memory and disk usage on the computer hosting the certification authority (CA). If necessary, increase Windows resources by adding physical memory, virtual memory, or physical storage.
Restart the computer and, if it does not restart automatically, the CA.
If this does not resolve the problem, you may need to restore Windows and the CA from a full backup.
You can use the procedures in the "Create a debug log" and "Enable CryptoAPI 2.0 Diagnostics" sections to compile information that will be useful if you need to contact Microsoft Customer Service and Support.
Create a debug log
To create a debug log:
On the computer hosting the CA, click Start, type cmd and press ENTE.
Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.
Click Start, point to Administrative Tools, and click Services.
Select the Active Directory Certificate Services service, and click Start.
When you have reproduced the issue, locate the certsrv.log file containing advanced diagnostic information in the %windir% directory.
When you have finished generating the diagnostics, disable debugging by opening a command prompt window.
Type certutil -delreg ca\debug and press ENTER.
Enable CryptoAPI 2.0 Diagnostics
To enable CryptoAPI 2.0 Diagnostics:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
Right-click Operational, and click Enable Log.
Click Start, point to Administrative Tools, and click Services.
Right-click Active Directory Certificate Services, and click Restart.
To confirm that the CA service is available:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -config <CAconfig> -ping and press ENTER.
CAconfig is the CA configuration string, in the form CAhostname\CAname.
| Target | Microsoft.Windows.CertificateServices.CARole.6.3 | ||
| Category | EventCollection | ||
| Enabled | True | ||
| Event_ID | 33 | ||
| Event Source | Microsoft-Windows-CertificationAuthority | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | High | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Application |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
| WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
Home
ENU <Rule ID="Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.33" Enabled="onEssentialMonitoring" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.6.3" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">33</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageID15d417cc2ece44899816fc367d8af822"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>