SBS 2011 Active Directory Certificate Services won't start

mybrainhertz
mybrainhertz used Ask the Experts™
on
I have an sbs 2011 server on which I have installed a godaddy cert for RWW and Exchange.  I recently went to renew this cert from the network connectivity screen and the console crashes.  I found that AD certificate services was not started and fails to start if forced.  I get the following error in the system log:

Log Name:      System
Source:        Service Control Manager
Date:          9/10/2013 10:16:56 AM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX.xxx.local
Description:
The Active Directory Certificate Services service terminated with service-specific error %%-939523595.

Google shows very little regarding that error code, all references seem to be to Windows Home Server and the solution was a reinstall of server, which would not be practical here.

I noticed a few dcom errors as well, stating that system and network service didn't have local launch permissions for certsrv request.  I edited the permissions for these two accounts to grant them local launch, (as well as all other available permissions).  This did not resolve the problem.

Any advice on how to proceed would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
What are the parameters for the service?  Are you running the service as local system or a domain account?  If it's a domain account, what permissions does that account have?

Commented:
Increase the logging level using this article and check error logs again.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
The service is running under the local system account.  I tried increasing the logging level, but I'm not sure it's going to make a difference since the service doesn't start.  The system log error is coming from SCM.  I did find some errors like the one below:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          9/10/2013 1:19:27 PM
Event ID:      17
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      IMCSERVER.imc.local
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for imc-IMCSERVER-CA.  The log file is damaged. 0xc80001f5 (ESE: -501).


Log Name:      Application
Source:        ESENT
Date:          9/10/2013 1:19:27 PM
Event ID:      454
Task Category: Logging/Recovery
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      IMCSERVER.imc.local
Description:
certsrv.exe (20524) Database recovery/restore failed with unexpected error -501.

The steps outlined in kb930832 as mentioned in several articles are stated as being for server 2008, does this still apply to server2008 and sbs2011?  Does it affect the log file?

Author

Commented:
Tried the steps outlined in the article, but esentutil.exe /g says it can't find the database.  In the registry the path is set to defaults of c:\windows\system32\certlog.

Commented:
You need to type in the full path to the database name:

Esentutl.exe /g "C:\Somefolder\someFile.ext"

Author

Commented:
OK, was able to get it to find the database and I get a message that the database is not up to date and asks me if I want to abort.  Here is the error message I get when I do:
Operation terminated with error -550 (JET_errDatabaseDirtyShutdown, Database was
 not shutdown cleanly. Recovery must first be run to properly complete database
operations for the previous shutdown.) after 28.486 seconds.

Considering I've been seeing this in my App logs:
certsrv.exe (23012) Database recovery/restore failed with unexpected error -501.
I would bet the recovery is not going to work.
Didn't find much  when searching for the -550 error other than a suggestion to delete the log files and see if certificate services starts.
Ended up putting in call to Microsoft.  Here is what they ultimately did to resolve this:

-Moved the log files in the certlog folder to different location except the .edb file

-Ran a defragment of the .edb in the certlog folder using C:\Windows\System32\CertLog>eseutil/d imc-IMCSERVER-CA.edb

-Also repaired the CA.edb using C:\Windows\System32\CertLog>eseutil/p imc-IMCSERVER-CA.edb

Author

Commented:
I had to ultimately call Microsoft although the help provided was in the right direction.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial