Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to Start AD CA Certification Service

Posted on 2016-09-09
8
Medium Priority
?
1,123 Views
Last Modified: 2016-10-01
Active Directory Certificate Authority Root

When I attempt to start the certificate service, I get the error:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)

The policy module for a CA is missing or incorrectly registered. To view or change the policy module settings, right-click on the CA, click Properties, and then click on the Policy Module tab.
So I click on Properties and the “Policy Module tab”. I click on “Select”, which brings up “Set Active Policy Module”. The only option to select is “Windows Default” which is already selected. I click OK and try  to start the Certification Service and receive same error.

I checked the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA Name\PolicyModules
That has a string value named “Active” with a value of CertificateAuthority_MicrosoftDefault.Policy

Just to make sure I reregistered the certpdef.dll but that didn’t change anything.

The Event Viewer says:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  (Name of our certificate authority) The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND).

Background:
Our certificate server is a 2012R2 member server. I migrated the certificate services from a 2003 member server which is being deactivated.

The local group: “Certificate Service DCOM Access” membership is Authenicated Users

The AD group: “Certificate Service DCOM Access” membership is Authenicated Users, Domain Users, and Domain Computers.

The Enterprise group “Cert Publishers” sole member is our certificate server.

In Active Directory Sites and Services/Services/Public Key Services
AIA Contains the certificationAuthority object for our root CA and the certificate server has full permissions.
CDP
Contains the Name of our Certification Server which contains cRLDistributionPoint object with the name of our Certification Authority and our certificate server has full permissions.

Does anyone have an idea about how to fix this?
0
Comment
Question by:batesit
  • 5
  • 3
8 Comments
 
LVL 18

Expert Comment

by:Learnctx
ID: 41792234
Check that you have actually finished the CA setup in server manager. In server manager go to the AD CS section or check the notification flag at the top right. Does it give a notification to complete the configuration of AD CS?
0
 
LVL 1

Author Comment

by:batesit
ID: 41794209
Learnctx,

Thanks for that. Good thinking, and at first that’s what I thought it was too. Unfortunately, after completing the configuration, the service still would not start. I do appreciate your help though.
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 41795163
OK, I'm assuming when you migrated the CA over you took a registry backup of the settings? Do all the paths in the registry backup from the old server exist on the new server?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:batesit
ID: 41796056
Learnctx, Thanks for your help. Yes I did migrate the CA over from our old CA and I imported the registery Key from the old server. However, I'm not sure what paths I should be looking for. I would assume that when I imported the registry key, everything would go along with it. Is there something specific I should be looking for?
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 41797117
As part of the migration you would backup the previous CA registry settings (see here). So when you do the import process of these settings here, you want to check the paths, any of them but mostly the paths in step 4 for DBDirectory, DBLogDirectory, DBSystemDirectory, DBTempDirectory, ConfigurationDirectory.
0
 
LVL 1

Author Comment

by:batesit
ID: 41798046
Learnctx, Thanks for your help. So I checked the registry. The first four paths that you mentioned: DBDirectory, DBLogDirectory, DBSystemDirectory, DBTempDirectory, match the default paths that I chose when I installed certificate services on this server. I checked the directory, and I can identify the the Database file, the Database Log files, and the Database Temp file(s). I am not sure what the Database "System" file is, if it is different than the Database itself. What would the file extension be for the "DBSystem"? This could be the problem. I did check the CACertPublicationURLs and  CRLPublicationURLs and those paths are correct.
0
 
LVL 1

Accepted Solution

by:
batesit earned 0 total points
ID: 41816795
I ended up submitting a support ticket with Microsoft. As I expected the Tech that I was working with figured it out in no time. Initially she spent about an hour on it. The things she was clicking on made me wonder if she knew what she was doing, but suddenly she was in the registry making a change. She went to registry HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\ certhash, and replaced all the stale certificate entries with “-“ and kept only the valid two certificate hashes. After that the Certificate Service was able to start, however, I then realized that devices could not connect to our secure wireless network which is what we mainly use certificates for. Also there were errors on the Certificate Server. The Tech worked for a couple more hours to fix those errors, and we continuted into the next day. When she finished up everything was working. In the dozens of articles I read on Moving the Certificate Authority and troubleshooting the problem I was having, I came across no articles which lead me the the "Certhash" key and the other things she fixed. I would have never figured all that out on my own. So it was worth the $495 bucks we paid Microsoft.
0
 
LVL 1

Author Closing Comment

by:batesit
ID: 41824623
The solution was, Microsoft Tech Support found the problem and fixed the issues we were having.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question