Active Directory Certificate Authority will not start

I have a 1 year old SBS 2011 server.  While trying to renew a certificate thru the SBS console, the wizard failed.  I have event ID 100 logged with the message: AD certificate service did not start: Could not not load the current CA certificate. <server> Keyset does not exist 0x80090016.  I can not manage any certificates thru the wizard or the MMC snapin.  How do I regain control and renew the servers self sign certificate?
THEarleAsked:
Who is Participating?
 
Michael PfisterConnect With a Mentor Commented:
Since its not working anyway, removing and re-adding it shouldn't do a harm. But its SBS ...
I'd rather do a image backup before starting experiments.

Or convert it to a virtual machine and do your experiments with the VM first to see what really helps.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You receive error message 0x80090016 or error message 0x8009000f when you try to schedule a task
http://support.microsoft.com/kb/246183

- Rancy
0
 
Michael PfisterCommented:
It seems your CA got damaged. This might help, but its for Windows 2008, not SBS 2011

http://phreek.org/blog/2011/10/windows-2008-ca---keyset-does-not-exist-0x80090016--2146893802
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
THEarleAuthor Commented:
Thanks mpfister, I am leary of removing the ADCS role but that maybe the way to go. I will reread that KB tonight when everyone is off the system and maybe try it.  
It seems that the link refers to the inability to read the cert, in my case, it can read the cert and knows it is expired but why would the service to issue certs not start? I do not see why  that service would have any dependancies at all. Has anyone seen the exact problem I have, that the internal cert is expired?
0
 
Michael PfisterCommented:
Still really strange since a domain controller should just renew its own cert...
0
 
THEarleAuthor Commented:
The Wizard will not work while the Active Directory Certificate Service is stopped.  What would be the danger of removing the cert role and re-adding it?

Has no one else seen this error?
0
 
THEarleAuthor Commented:
Additional error message: The Active Directory Certificate service terminated with service-specific error %%-2146893802. I have not been able to find any relevant information on this error code.
0
 
THEarleAuthor Commented:
Thanks mpfister. I agree, tomorrow while they are enjoying a long weekend, I will try it and let you know.
0
 
THEarleAuthor Commented:
Thanks mpfister for your help.  I ripped and reinstalled the certificate role from the DC without problems.  When reinstalled a new local key was created with a new key.  Then I was able to rekey our GoDaddy remote cert and applied it sucessfully.  Problem solved, thanks.
0
 
Michael PfisterCommented:
Glad it helped
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.