SBS 2011 Active Directory Certificate Services won't start

I have an sbs 2011 server on which I have installed a godaddy cert for RWW and Exchange.  I recently went to renew this cert from the network connectivity screen and the console crashes.  I found that AD certificate services was not started and fails to start if forced.  I get the following error in the system log:

Log Name:      System
Source:        Service Control Manager
Date:          9/10/2013 10:16:56 AM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX.xxx.local
Description:
The Active Directory Certificate Services service terminated with service-specific error %%-939523595.

Google shows very little regarding that error code, all references seem to be to Windows Home Server and the solution was a reinstall of server, which would not be practical here.

I noticed a few dcom errors as well, stating that system and network service didn't have local launch permissions for certsrv request.  I edited the permissions for these two accounts to grant them local launch, (as well as all other available permissions).  This did not resolve the problem.

Any advice on how to proceed would be appreciated.
mybrainhertzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

piattndCommented:
What are the parameters for the service?  Are you running the service as local system or a domain account?  If it's a domain account, what permissions does that account have?
0
piattndCommented:
0
piattndCommented:
Increase the logging level using this article and check error logs again.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mybrainhertzAuthor Commented:
The service is running under the local system account.  I tried increasing the logging level, but I'm not sure it's going to make a difference since the service doesn't start.  The system log error is coming from SCM.  I did find some errors like the one below:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          9/10/2013 1:19:27 PM
Event ID:      17
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      IMCSERVER.imc.local
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for imc-IMCSERVER-CA.  The log file is damaged. 0xc80001f5 (ESE: -501).


Log Name:      Application
Source:        ESENT
Date:          9/10/2013 1:19:27 PM
Event ID:      454
Task Category: Logging/Recovery
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      IMCSERVER.imc.local
Description:
certsrv.exe (20524) Database recovery/restore failed with unexpected error -501.

The steps outlined in kb930832 as mentioned in several articles are stated as being for server 2008, does this still apply to server2008 and sbs2011?  Does it affect the log file?
0
piattndCommented:
0
mybrainhertzAuthor Commented:
Tried the steps outlined in the article, but esentutil.exe /g says it can't find the database.  In the registry the path is set to defaults of c:\windows\system32\certlog.
0
piattndCommented:
You need to type in the full path to the database name:

Esentutl.exe /g "C:\Somefolder\someFile.ext"
0
mybrainhertzAuthor Commented:
OK, was able to get it to find the database and I get a message that the database is not up to date and asks me if I want to abort.  Here is the error message I get when I do:
Operation terminated with error -550 (JET_errDatabaseDirtyShutdown, Database was
 not shutdown cleanly. Recovery must first be run to properly complete database
operations for the previous shutdown.) after 28.486 seconds.

Considering I've been seeing this in my App logs:
certsrv.exe (23012) Database recovery/restore failed with unexpected error -501.
I would bet the recovery is not going to work.
Didn't find much  when searching for the -550 error other than a suggestion to delete the log files and see if certificate services starts.
0
mybrainhertzAuthor Commented:
Ended up putting in call to Microsoft.  Here is what they ultimately did to resolve this:

-Moved the log files in the certlog folder to different location except the .edb file

-Ran a defragment of the .edb in the certlog folder using C:\Windows\System32\CertLog>eseutil/d imc-IMCSERVER-CA.edb

-Also repaired the CA.edb using C:\Windows\System32\CertLog>eseutil/p imc-IMCSERVER-CA.edb
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mybrainhertzAuthor Commented:
I had to ultimately call Microsoft although the help provided was in the right direction.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.