Re: Certificate Services fails to start
- From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
- Date: Wed, 16 Nov 2005 12:15:31 GMT
Hi Steve,
Thanks for your detail information. I appreciate your time and efforts to
the issue.
Please follow below steps to try to resolve the issue:
1. Open the ODBC Data Sources (Start -> Administrative Tools -> Data
Sources).
2. If you see a User DSN named CertSrv that is using the Access database,
click Remove. Or there is no system DSN named CertSrv entity under System
DSN tab. Please continue 3rd step.
3. Recreate the User DSN as a System DSN named CertSrv:
a. On the System DSN tab, click Add.
b. Click Microsoft Access Driver (*.mdb), and then click Finish.
c. On the ODBC Microsoft Access Setup Page, type CertSrv for the Data
Source Name.
d. Under Database, click Select.
e. Point to the %SystemRoot%\System32\CertLog\certsrv.mdb file, and then
click OK.
f. On the ODBC Microsoft Access Setup Page, click Advanced, and then
configure the Default Authorization Login Name box to use Admin and no
password.
4. Restart the Certificate Server Service.
How about the result?
If the problem persists, you may need to reinstall the Certificate
services.
This process breaks down into 4 steps:
1) Backup the CA private key, certificate, and database.
2) Uninstall Certificate Services.
3) Reinstall Certificate Services with the backed up private key and
certificate.
4) Restore the database.
* Backup the CA Private Key, Certificate, and Database
1) In the Certification Authority console, right-click on the CA name,
click "All Tasks", and select "Backup CA...".
2) The "Certification Authority Backup Wizard" will start. Click Next.
3) Check "Private key and CA certificate" as well as "Issued certificate
log and pending certificate request queue". DO NOT check "Perform
incremental backup".
4) Provide the backup directory path, and click Next.
5) Enter a password. This password protects the private key in the export
file. Click next.
6) The completion page will display. Verify that the private key, CA
certificate, and issued log and pending requests will be backed up. Click
Finish.
7) The CA is now backed up. If you check the backup folder, you will
discover a .P12 file -- which contains the private key and certificate of
the CA -- as well as a folder call Database, which contains CA Log files.
* Uninstall the CA
We'll use the certutil.exe utility to shutdown the CA and delete the
private key store prior to uninstalling Certificate Services.
1) Go to the command prompt.
2) Type "certutil -shutdown" and press enter. This will stop the CA.
3) Type "certutil -key" and press enter. This will enumerate all the
Cryptographic Service Providers installed under Windows 2000, as well as
each of the key stores available to those providers. In the list of key
stores, you will see several that have the same name as your CA. You will
need to delete these key stores.
4) Type "certutil -delkey", followed by the name of your CA, and then press
enter.
If your CA name contains spaces, you will need to enclose it in quotes. If
successful, certutil.exe will simply return the name of your CA.
5) Type "certutil -key" and press enter to verify that the key store for
your CA has been removed.
6) Uninstall Certificate Services using Add/Remove Programs.
* Reinstall Certificate Services with the Backed Up Private Key and
Certificate
1) Reinstall Certificate Services via Add/Remove Programs.
2) During the install of Certificate Services, select the type of CA you
are restoring -- Enterprise or Standalone, Root or Subordinate.
3) Check "Advanced Options", and click Next.
4) On the "Public and Private Key Pair" page, click Import.
5) Select the .P12 file in the backup folder, provide the password
specified during the backup, and click Ok.
6) Upon returning to the "Public and Private Key Pair Page", you should see
the following:
- "Use existing keys" is checked.
- Your CA name is selected in the list of key stores.
- "Use the associated certificate" is checked.
7) Click Next.
8) The CA identificate information is pulled from the certificate just
imported. Click Next.
9) Specify the paths for the CA Database and log files. The database and
log-file paths must be the same on both the new and old installs. Click
Next.
10) The Certificate Services install will proceed normally. Click Finish
when it completes.
* Restore the Database
1) In the Certification Authority console, right-click on the CA name,
click "All Tasks", and select "Restore CA...".
2) Click Ok to stop Certificate Services in order to perform the restore.
3) The "Certification Authority Restore Wizard" will start. Click Next.
4) Check "Issued certificate log and pending certificate request queue",
specify the backup folder, and click Next.
5) The completion page will display. Verify that the issued log and pending
requests will be restored. Click Finish.
6) Select Yes to restart Certificate Services.
More info:
298138 How to move a certification authority to another server
http://support.microsoft.com/?id=298138
I look forward to your reply and be happy to further assistance.
Have a nice day!
Sincerely,
Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
The partner mail content:
===================
Jenny,
Thanks for your messages. Sorry I have not got back to you yet - I've
been very busy.
Currently I have not managed to get any further forward with the
problem. Below are the results of the specific steps you have
suggested:-
1. Service is not started anyway (that's part of the problem!)
2. esentutl does not indicate that the database if corrupt (output
below)
Microsoft(R) Windows(R) Database Utilities
Version 5.2
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating INTEGRITY mode...
Database: C:\WINNT\system32\certlog\PannellSignsCA.edb
Temp. Database: TEMPINTEG9488.EDB
Checking database integrity.
Scanning Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Integrity check successful.
Operation completed successfully in 0.765 seconds.
3. (Not applicable)
4. a) Certsvc is set to run as Local System account (and the checkbox
"Allow
service to interact with desktop" is checked)
b) The system account has full control over the Certlog directory and
all
files (there are no sub folders - should there be?)
5. If I attempt to start the service, it initially starts ok
C:\>net start certsvc
The Certificate Services service was started successfully.
However, I then get the following Application event log entry:-
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 17
Date: 15/11/2005
Time: 18:16:32
User: N/A
Computer: PSSERVER
Description:
Certificate Services did not start: Unable to initialize the
database
connection for PannellSignsCA. Class not registered 0x80040154 (-
2147221164).
And the following System event log entry:-
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 15/11/2005
Time: 18:16:32
User: N/A
Computer: PSSERVER
Description:
The Certificate Services service terminated with service-specific
Error 2147746132 (0x80040154).
I have a backup of the database made some 4 or 5 months ago, just prior
to upgrading from ISA2000 to ISA2003. I restored this (ie overwrote the
current .edb file after copying it elsewhere), but unfortunately I get
exactly the same result when I attempt to start the service.
Regards
Steve Everington
===================
--------------------
>X-Tomcat-ID: 273880736
>References: <eGRAQB94FHA.1140@xxxxxxxxxxxxxxxxxxxx>
<VE5JayD5FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
<e5i9ezI5FHA.1248@xxxxxxxxxxxxxxxxxxxx>
<unNyoEW5FHA.3760@xxxxxxxxxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: v-yanniw@xxxxxxxxxxxxxxxxxxxx ("Jenny wu [MSFT]")
>Organization: Microsoft
>Date: Thu, 10 Nov 2005 12:29:24 GMT
>Subject: Re: Certificate Services fails to start
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>Message-ID: <SBmDlJf5FHA.2672@xxxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>Lines: 329
>Path: TK2MSFTNGXA02.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:220835
>NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
>
>Hi Steve,
>
>Thanks for your information, I appreciate your time!
>
>Based on the information you provided, it seems the cert database is
>corrupted. Please try the following steps:
>
>1. Run command "net stop certsvc" to stop Certificate Service.
>2. Use Esentutl.exe to run an integrity check of the database.
>
>C:\>esentutl /g %systemroot%\system32\certlog\<ca name>.edb
>
>3. If the database is corrupt, please try run the following command to
>recovery the database:
>
>C:\>esentutl /r %systemroot%\system32\certlog\<ca name>.edb
>
>4. If the integrity check passes, please verify the following:
>
>1) CertSvc is running as Local System.
>2) The System account has full control over the Certlog directory and all
>files and subfolders.
>
>5. Run command "net start certsvr" to start Certificate Service
>
>How about the result?
>
>If the issue persists, may I know if you have backup the certificate
>database? If yes, you can directly restore it to see if any thing is fine.
>
>If you have backup the certificate database, have you backed up the system
>states before? If so, since System States back contains the certificate
>database, you can perform the following steps to restore the cert
database:
>
>1. Click Start, point to Programs, point to Administrative Tools, and then
>click Certificate Authority.
>2. Right-click the CA, point to All Tasks, and then click Restore CA. When
>you receive the Certification Authority Restore Wizard message that
informs
>you that the certificate services cannot be running during the
restoration,
>click OK to stop the certificate services.
>3. On the "Welcome to the Certification Authority Restore Wizard" page,
>read the introductory text, and then click Next.
>4. On the "Items to Restore" page, click to select the "Primate key and CA
>certificate" and "Issued certificate log and pending certificate request
>queue" check boxes. In the "Restore from this location" box, type the path
>to the certificate services backup, or click Browse to locate the folder.
>Click Next.
>5. On the "Provide Password" page, type the password that was used during
>the certificate services backup in the Password box. Click Next.
>6. On the "Completing the Certification Authority Restore Wizard" page,
>click Finish.
>7. After the restoration is complete, a Certification Authority Restore
>Wizard dialog box informs you that the restoration operating is complete
>and offers to start certificate services. Click OK to start certificate
>services.
>
>How about the result?
>
>Hope above information helps! I am look forward to test result!
>
>Have a nice day!
>
>Sincerely,
>
>Jenny Wu
>Microsoft CSS Online Newsgroup Support
>Get Secure! - www.microsoft.com/security
>======================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
>When opening a new thread via the web interface, we recommend you check
the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In
doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>======================================================
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>--------------------
>>Reply-To: "Jenny Wu \(MSFT\)" <v-yanniw@xxxxxxxxxxxxx>
>>From: "Jenny Wu \(MSFT\)" <v-yanniw@xxxxxxxxxxxxx>
>>References: <eGRAQB94FHA.1140@xxxxxxxxxxxxxxxxxxxx>
><VE5JayD5FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
><e5i9ezI5FHA.1248@xxxxxxxxxxxxxxxxxxxx>
>>Subject: Re: Certificate Services fails to start
>>Date: Thu, 10 Nov 2005 03:09:42 +0800
>>Lines: 254
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>X-RFC2646: Format=Flowed; Response
>>Message-ID: <unNyoEW5FHA.3760@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: 60.63.150.238
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:220540
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>Hi Steve,
>>
>>
>>
>>Thanks for your update! I am sorry for not receiving your mail up to now,
>>could you mail me that files again?
>>
>>
>>
>>Please note the mail size should not be too big and you can split them
and
>>compress them in zip files to send me in several mails in case mails are
>>blocked as spams.
>>
>>
>>
>>I appreciate your time!
>>
>>
>>
>>Have a nice day!
>>
>>
>>
>>Sincerely,
>>
>>
>>
>>Jenny Wu
>>
>>Microsoft CSS Online Newsgroup Support
>>
>>Get Secure! - www.microsoft.com/security
>>
>>======================================================
>>
>>This newsgroup only focuses on SBS technical issues. If you have issues
>>
>>regarding other Microsoft products, you'd better post in the corresponding
>>
>>newsgroups so that they can be resolved in an efficient and timely manner.
>>
>>You can locate the newsgroup here:
>>
>>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>>
>>
>>When opening a new thread via the web interface, we recommend you check
the
>>
>>"Notify me of replies" box to receive e-mail notifications when there are
>>
>>any updates in your thread. When responding to posts via your newsreader,
>>
>>please "Reply to Group" so that others may learn and benefit from your
>>
>>issue.
>>
>>
>>
>>Microsoft engineers can only focus on one issue per thread. Although we
>>
>>provide other information for your reference, we recommend you post
>>
>>different incidents in different threads to keep the thread clean. In
doing
>>
>>so, it will ensure your issues are resolved in a timely manner.
>>
>>
>>
>>For urgent issues, you may want to contact Microsoft CSS directly. Please
>>
>>check http://support.microsoft.com for regional support phone numbers.
>>
>>
>>
>>Any input or comments in this thread are highly appreciated.
>>
>>======================================================
>>
>>This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>>
>>
>>"Steve Everington" <steve.nospam@xxxxxxxxxxxxxxxxxx> wrote in message
>>news:e5i9ezI5FHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
>>> Jenny,
>>>
>>> Thanks for the reply!
>>>
>>> I have sent an email with the results of the specific tests you
>suggested.
>>> Unfortunately, the end result is still the same in that I cannot get
the
>>> Certificate Services Service to start.
>>>
>>> Regards
>>>
>>> Steve Everington
>>>
>>>
>>> ""Jenny wu [MSFT]"" <v-yanniw@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:VE5JayD5FHA.1172@xxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi Steve,
>>>>
>>>> Thanks for using SBS newsgroup!
>>>>
>>>> For your description, I understand that the Certificate Services fails
>to
>>>> start and there is error event 17 logged on your SBS 2003 SP1 server
box
>>>> with ISA 2004. If I am off base, please don't hesitate to let me know.
>>>>
>>>> Let"s try the following suggestions to try to troubleshoot the issue:
>>>>
>>>> I. Please rerun CEICW to refresh network connection, the process you
>must
>>>> do after you applied SBS 2003 SP1 to the SBS server box. It is
>>>> recommended
>>>> you refer to the following KB article to configure:
>>>>
>>>> 825763 How to configure Internet access in Windows Small Business
Server
>>>> 2003
>>>> http://support.microsoft.com/?id=825763
>>>>
>>>> II. Please disable strict RPC compliance protocol rule in the ISA
2004.
>>>> You
>>>> can configure it as follows:
>>>>
>>>> 1. Open ISA 2004 server console, locate the Firewall Policy node and
>>>> click
>>>> it.
>>>> 2. Choose the Firewall Policy rule: SBS Protected Networks Access Rule,
>>>> right click it and choose "Configure RPC protocol" item to open it's
>>>> configuration page.
>>>> 3. Please uncheck "Enforce strict RPC compliance" item and then click
>OK
>>>> to
>>>> finish.
>>>>
>>>> Please try to test to see if the issue be fixed.
>>>>
>>>> III. If the issue persists, it seems the cert database is corrupted.
>>>> Please try the following steps:
>>>>
>>>> I. Use the esentutl tool to fix the database:
>>>> ====
>>>> 1. Make sure that the Certificate service is stopped. Open Windows
>>>> Explorer. Navigate to %systemroot%\system32\certlog\ Make a copy of all
>>>> files in this folder.
>>>>
>>>> NOTE: This step is very important! The troubleshooting steps could
cause
>>>> further corruption on the CA database.
>>>>
>>>> 2. Run the following commands. Collect the output and send the result
>to
>>>> me
>>>> at feijj@xxxxxxxxxxxxx
>>>>
>>>> esentutl -ml %systemroot%\system32\certlog\edb.log
>>>>
>>>> esentutl -mk %systemroot%\system32\certlog\edb.chk
>>>>
>>>> esentutl -mh %systemroot%\system32\certlog\<CA Name>.edb
>>>>
>>>> 3. Run esentutl /g %systemroot%\system32\certlog\<CA Name>.edb to fix
>the
>>>> database. After doing this, will the problem be resolved?
>>>>
>>>> 4. Delete all files except <CA Name>.edb from the folder. Try to start
>>>> the
>>>> 'Certificate Services' from services console. Will the problem be
>>>> resolved?
>>>>
>>>> If the issue still persists, could you find any other event error in
the
>>>> Event Viewer? If yes, please also paste it in the newsgroup.
>>>>
>>>> Have a nice day!
>>>>
>>>> Sincerely,
>>>>
>>>> Jenny Wu
>>>> Microsoft CSS Online Newsgroup Support
>>>> Get Secure! - www.microsoft.com/security
>>>> ======================================================
>>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>>> regarding other Microsoft products, you'd better post in the
>>>> corresponding
>>>> newsgroups so that they can be resolved in an efficient and timely
>>>> manner.
>>>> You can locate the newsgroup here:
>>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>>
>>>> When opening a new thread via the web interface, we recommend you
check
>>>> the
>>>> "Notify me of replies" box to receive e-mail notifications when there
>are
>>>> any updates in your thread. When responding to posts via your
>newsreader,
>>>> please "Reply to Group" so that others may learn and benefit from your
>>>> issue.
>>>>
>>>> Microsoft engineers can only focus on one issue per thread. Although we
>>>> provide other information for your reference, we recommend you post
>>>> different incidents in different threads to keep the thread clean. In
>>>> doing
>>>> so, it will ensure your issues are resolved in a timely manner.
>>>>
>>>> For urgent issues, you may want to contact Microsoft CSS directly.
>Please
>>>> check http://support.microsoft.com for regional support phone numbers.
>>>>
>>>> Any input or comments in this thread are highly appreciated.
>>>> ======================================================
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> --------------------
>>>>>From: "Steve Everington" <steve.nospam@xxxxxxxxxxxxxxxxxx>
>>>>>Subject: Certificate Services fails to start
>>>>>Date: Mon, 7 Nov 2005 19:20:25 -0000
>>>>>Lines: 24
>>>>>Organization: Pannell Signs Ltd
>>>>>X-Priority: 3
>>>>>X-MSMail-Priority: Normal
>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>>>X-RFC2646: Format=Flowed; Original
>>>>>Message-ID: <eGRAQB94FHA.1140@xxxxxxxxxxxxxxxxxxxx>
>>>>>Newsgroups: microsoft.public.windows.server.sbs
>>>>>NNTP-Posting-Host: mailgate.pannellsigns.co.uk 83.104.93.106
>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:168351
>>>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>>>
>>>>>Hello,
>>>>>
>>>>>I am unable to get my certificate service to start - I get the
following
>>>>>error message...
>>>>>
>>>>>Event Type: Error
>>>>>Event Source: CertSvc
>>>>>Event Category: None
>>>>>Event ID: 17
>>>>>Date: 07/11/2005
>>>>>Time: 19:04:26
>>>>>User: N/A
>>>>>Computer: XXXSERVER
>>>>>Description:
>>>>>Certificate Services did not start: Unable to initialize the database
>>>>>connection for xxxxxxxxxCA. Class not registered 0x80040154
>>>>>(-2147221164).
>>>>>
>>>>>I am running SBS2003 premium with SP1 and ISA server 2004.
>>>>>
>>>>>Thanks
>>>>>
>>>>>Steve Everington
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>>
>
>
.
- Follow-Ups:
- Re: Certificate Services fails to start
- From: "Jenny wu [MSFT]"
- Re: Certificate Services fails to start
- References:
- Certificate Services fails to start
- From: Steve Everington
- RE: Certificate Services fails to start
- From: "Jenny wu [MSFT]"
- Certificate Services fails to start
- Prev by Date: Login and Time Sync Issues
- Next by Date: Re: POP3 connector in SBS 2003
- Previous by thread: RE: Certificate Services fails to start
- Next by thread: Re: Certificate Services fails to start
- Index(es):
Relevant Pages
|
