• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4283
  • Last Modified:

Active Directory Certificate Authority will not start

I have a 1 year old SBS 2011 server.  While trying to renew a certificate thru the SBS console, the wizard failed.  I have event ID 100 logged with the message: AD certificate service did not start: Could not not load the current CA certificate. <server> Keyset does not exist 0x80090016.  I can not manage any certificates thru the wizard or the MMC snapin.  How do I regain control and renew the servers self sign certificate?
0
THEarle
Asked:
THEarle
  • 5
  • 5
1 Solution
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
You receive error message 0x80090016 or error message 0x8009000f when you try to schedule a task
http://support.microsoft.com/kb/246183

- Rancy
0
 
Michael PfisterCommented:
It seems your CA got damaged. This might help, but its for Windows 2008, not SBS 2011

http://phreek.org/blog/2011/10/windows-2008-ca---keyset-does-not-exist-0x80090016--2146893802
0
 
THEarleAuthor Commented:
Thanks mpfister, I am leary of removing the ADCS role but that maybe the way to go. I will reread that KB tonight when everyone is off the system and maybe try it.  
It seems that the link refers to the inability to read the cert, in my case, it can read the cert and knows it is expired but why would the service to issue certs not start? I do not see why  that service would have any dependancies at all. Has anyone seen the exact problem I have, that the internal cert is expired?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Michael PfisterCommented:
Still really strange since a domain controller should just renew its own cert...
0
 
THEarleAuthor Commented:
The Wizard will not work while the Active Directory Certificate Service is stopped.  What would be the danger of removing the cert role and re-adding it?

Has no one else seen this error?
0
 
THEarleAuthor Commented:
Additional error message: The Active Directory Certificate service terminated with service-specific error %%-2146893802. I have not been able to find any relevant information on this error code.
0
 
Michael PfisterCommented:
Since its not working anyway, removing and re-adding it shouldn't do a harm. But its SBS ...
I'd rather do a image backup before starting experiments.

Or convert it to a virtual machine and do your experiments with the VM first to see what really helps.
0
 
THEarleAuthor Commented:
Thanks mpfister. I agree, tomorrow while they are enjoying a long weekend, I will try it and let you know.
0
 
THEarleAuthor Commented:
Thanks mpfister for your help.  I ripped and reinstalled the certificate role from the DC without problems.  When reinstalled a new local key was created with a new key.  Then I was able to rekey our GoDaddy remote cert and applied it sucessfully.  Problem solved, thanks.
0
 
Michael PfisterCommented:
Glad it helped
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now