troubleshooting Question

Unable to Start AD CA Certification Service

Avatar of batesit
batesitFlag for United States of America asked on
Active DirectoryWindows Server 2012Microsoft Server Apps
8 Comments1 Solution9589 ViewsLast Modified:
Active Directory Certificate Authority Root

When I attempt to start the certificate service, I get the error:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)

The policy module for a CA is missing or incorrectly registered. To view or change the policy module settings, right-click on the CA, click Properties, and then click on the Policy Module tab.
So I click on Properties and the “Policy Module tab”. I click on “Select”, which brings up “Set Active Policy Module”. The only option to select is “Windows Default” which is already selected. I click OK and try  to start the Certification Service and receive same error.

I checked the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA Name\PolicyModules
That has a string value named “Active” with a value of CertificateAuthority_MicrosoftDefault.Policy

Just to make sure I reregistered the certpdef.dll but that didn’t change anything.

The Event Viewer says:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  (Name of our certificate authority) The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND).

Background:
Our certificate server is a 2012R2 member server. I migrated the certificate services from a 2003 member server which is being deactivated.

The local group: “Certificate Service DCOM Access” membership is Authenicated Users

The AD group: “Certificate Service DCOM Access” membership is Authenicated Users, Domain Users, and Domain Computers.

The Enterprise group “Cert Publishers” sole member is our certificate server.

In Active Directory Sites and Services/Services/Public Key Services
AIA Contains the certificationAuthority object for our root CA and the certificate server has full permissions.
CDP
Contains the Name of our Certification Server which contains cRLDistributionPoint object with the name of our Certification Authority and our certificate server has full permissions.

Does anyone have an idea about how to fix this?
ASKER CERTIFIED SOLUTION
batesit

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros