Collection Rule for event with source OnlineResponder and ID 34

Summary

Certification authorities (CAs) need adequate system resources and operating system components to function. If a server has insufficient memory or hard disk space, or if operating system components become unavailable, attempts to start Active Directory Certificate Services (AD CS) can fail.

Resolutions

Fix problems with remote procedure call (RPC)

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To resolve problems with remote procedure call (RPC):

• Check the event log message, as well as any additional messages preceding or immediately following this event for additional information.

• Use the Reliability and Performance Monitor to assess memory and disk usage on the computer hosting the certification authority (CA). If necessary, increase Windows resources by adding physical memory, virtual memory, or physical storage.

• Restart the computer and, if it does not restart automatically, the CA.

• If this does not resolve the problem, you may need to restore Windows and the CA from a full backup.

• You can use the procedures in the "Create a debug log" and "Enable CryptoAPI 2.0 Diagnostics" sections to compile information that will be useful if you need to contact Microsoft Customer Service and Support.

Create a debug log

To create a debug log:

• On the computer hosting the CA, click Start, type cmd and press ENTER.

• Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.

• Click Start, point to Administrative Tools, and click Services.

• Select the Active Directory Certificate Services service, and click Start.

• When you have reproduced the issue, locate the certsrv.log file containing advanced diagnostic information in the %windir% directory.

• When you have finished generating the diagnostics, disable debugging by opening a command prompt window.

• Type certutil -delreg ca\debug and press ENTER.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

• On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.

• In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.

• Right-click Operational, and click Enable Log.

• Click Start, point to Administrative Tools, and click Services.

• Right-click Active Directory Certificate Services, and click Restart.

Additional

To confirm that the CA service is available:

• On the computer hosting the CA, click Start, type cmd and press ENTER.

• Type certutil -config <CAconfig> -ping and press ENTER.

CAconfig is the CA configuration string, in the form CAhostname\CAname.