mybrainhertz
asked on
SBS 2011 Active Directory Certificate Services won't start
I have an sbs 2011 server on which I have installed a godaddy cert for RWW and Exchange. I recently went to renew this cert from the network connectivity screen and the console crashes. I found that AD certificate services was not started and fails to start if forced. I get the following error in the system log:
Log Name: System
Source: Service Control Manager
Date: 9/10/2013 10:16:56 AM
Event ID: 7024
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXX.xxx.local
Description:
The Active Directory Certificate Services service terminated with service-specific error %%-939523595.
Google shows very little regarding that error code, all references seem to be to Windows Home Server and the solution was a reinstall of server, which would not be practical here.
I noticed a few dcom errors as well, stating that system and network service didn't have local launch permissions for certsrv request. I edited the permissions for these two accounts to grant them local launch, (as well as all other available permissions). This did not resolve the problem.
Any advice on how to proceed would be appreciated.
Log Name: System
Source: Service Control Manager
Date: 9/10/2013 10:16:56 AM
Event ID: 7024
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXX.xxx.local
Description:
The Active Directory Certificate Services service terminated with service-specific error %%-939523595.
Google shows very little regarding that error code, all references seem to be to Windows Home Server and the solution was a reinstall of server, which would not be practical here.
I noticed a few dcom errors as well, stating that system and network service didn't have local launch permissions for certsrv request. I edited the permissions for these two accounts to grant them local launch, (as well as all other available permissions). This did not resolve the problem.
Any advice on how to proceed would be appreciated.
What are the parameters for the service? Are you running the service as local system or a domain account? If it's a domain account, what permissions does that account have?
Also, do you see any additional errors as noted in this link (you probably saw it):
http://social.microsoft.co
http://social.microsoft.co
Increase the logging level using this article and check error logs again.
ASKER
The service is running under the local system account. I tried increasing the logging level, but I'm not sure it's going to make a difference since the service doesn't start. The system log error is coming from SCM. I did find some errors like the one below:
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 9/10/2013 1:19:27 PM
Event ID: 17
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IMCSERVER.imc.local
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for imc-IMCSERVER-CA. The log file is damaged. 0xc80001f5 (ESE: -501).
Log Name: Application
Source: ESENT
Date: 9/10/2013 1:19:27 PM
Event ID: 454
Task Category: Logging/Recovery
Level: Error
Keywords: Classic
User: N/A
Computer: IMCSERVER.imc.local
Description:
certsrv.exe (20524) Database recovery/restore failed with unexpected error -501.
The steps outlined in kb930832 as mentioned in several articles are stated as being for server 2008, does this still apply to server2008 and sbs2011? Does it affect the log file?
Log Name: Application
Source: Microsoft-Windows-Certific
Date: 9/10/2013 1:19:27 PM
Event ID: 17
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IMCSERVER.imc.local
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for imc-IMCSERVER-CA. The log file is damaged. 0xc80001f5 (ESE: -501).
Log Name: Application
Source: ESENT
Date: 9/10/2013 1:19:27 PM
Event ID: 454
Task Category: Logging/Recovery
Level: Error
Keywords: Classic
User: N/A
Computer: IMCSERVER.imc.local
Description:
certsrv.exe (20524) Database recovery/restore failed with unexpected error -501.
The steps outlined in kb930832 as mentioned in several articles are stated as being for server 2008, does this still apply to server2008 and sbs2011? Does it affect the log file?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tried the steps outlined in the article, but esentutil.exe /g says it can't find the database. In the registry the path is set to defaults of c:\windows\system32\certlo
You need to type in the full path to the database name:
Esentutl.exe /g "C:\Somefolder\someFile.ex
Esentutl.exe /g "C:\Somefolder\someFile.ex
ASKER
OK, was able to get it to find the database and I get a message that the database is not up to date and asks me if I want to abort. Here is the error message I get when I do:
Operation terminated with error -550 (JET_errDatabaseDirtyShutd
not shutdown cleanly. Recovery must first be run to properly complete database
operations for the previous shutdown.) after 28.486 seconds.
Considering I've been seeing this in my App logs:
certsrv.exe (23012) Database recovery/restore failed with unexpected error -501.
I would bet the recovery is not going to work.
Didn't find much when searching for the -550 error other than a suggestion to delete the log files and see if certificate services starts.
Operation terminated with error -550 (JET_errDatabaseDirtyShutd
not shutdown cleanly. Recovery must first be run to properly complete database
operations for the previous shutdown.) after 28.486 seconds.
Considering I've been seeing this in my App logs:
certsrv.exe (23012) Database recovery/restore failed with unexpected error -501.
I would bet the recovery is not going to work.
Didn't find much when searching for the -550 error other than a suggestion to delete the log files and see if certificate services starts.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had to ultimately call Microsoft although the help provided was in the right direction.