none
Certificate services error on Windows server 2003 PDC CA

    Question

  • Hi to all,

    On winsrv 2003 standard: PDC, Exchange and ISA server (small enviroment),

    since afer restarted,  i am getting certification related erros.

    Event Type: Error
    Event Source: CertSvc
    Event Category: None
    Event ID: 5
    Date:  21.8.2013
    Time:  10:43:16
    User:  N/A
    Computer: PDC
    Description:
    Certificate Services could not find required registry information.  The Certificate Services may need to be reinstalled.

              

                Using certutil (-schema, -isvalid, -cainfo,)  I got:  command FAILED: 0x80080005 (-2146959355)

    Using certutil -tcainfo:

    ================================================================
    CA Name: TCCA

    Machine Name: pdc.domain.local

    DS Location: CN=TCCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,
    N=Configuration,DC=tc,DC=local

    Cert DN: CN=TCCA, DC=tc, DC=local

    CA Expiration (Years): 1

    Connecting to tcdomain.tc.local\TCCA ...
    Server could not be reached: Server execution failed 0x80080005 (-2146959355)


    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=TCCA, DC=tc, DC=local
      Subject: CN=TCCA, DC=tc, DC=local
      Serial: 2e33c2078416ca994b2ddb90abb3804a
      56 c1 e0 cc 16 46 c6 ac 4b 60 76 33 c5 b3 40 6b 90 16 d2 bf
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    Exclude leaf cert:
      da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
    Full chain:
      56 c1 e0 cc 16 46 c6 ac 4b 60 76 33 c5 b3 40 6b 90 16 d2 bf
    ------------------------------------
    Verified Issuance Policies: All
    Verified Application Policies: All

    Supported Certificate Templates:
    Cert Type[0]: EFSRecovery (EFS Recovery Agent)
    Cert Type[1]: EFS (Basic EFS)
    Cert Type[2]: DomainController (Domain Controller)
    Cert Type[3]: WebServer (Web Server)
    Cert Type[4]: Machine (Computer)
    Cert Type[5]: User (User)
    Cert Type[6]: SubCA (Subordinate Certification Authority)
    Cert Type[7]: Administrator (Administrator)
    Validated Cert Types: 8

    ================================================================
    pdc.domain.local\TCCA:
      OFFLINE

              

            and using certutil -dcinfo:

    *** Testing DC[0]: PDC
    ** Enterprise Root Certificates for DC PDC
    Certificate 0:
    Serial Number: 0790b86f118570ac4460d9a5999fe073
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V2.2
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 6f bf c0 63 26 95 13 36 5f a1 36 ef b1 4f 9f 22 9d b7 15 c6

    Certificate 1:
    Serial Number: 2e33c2078416ca994b2ddb90abb3804a
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V3.3
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 56 c1 e0 cc 16 46 c6 ac 4b 60 76 33 c5 b3 40 6b 90 16 d2 bf

    Certificate 2:
    Serial Number: 09e2bff9433f529a4f1ff53135f0c7a8
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 2f ff 30 b0 fb 21 e4 1d c8 c8 bf b9 6a a2 24 72 7d d3 13 3a

    Certificate 3:
    Serial Number: 04aecc03749b428d4aeb2ea4fffd97a8
    Issuer: CN=TCCA, DC=tc, DC=local
    Subject: CN=TCCA, DC=tc, DC=local
    CA Version: V1.1
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Cert Hash(sha1): 0c a4 bd 7d 6d 70 07 f5 42 37 19 d1 75 3e a3 14 fc 88 c8 d5

    ** KDC Certificates for DC TCDOMAIN
    0 KDC certs for TCDOMAIN
    No KDC Certificate in MY store
    KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

    I can't manualy start Certificate services. Tryed this: http://support.microsoft.com/kb/842210   but it didn't help.

    How could I find what cause this behavior?

    Is it safe to simply reinstall CA on PDC, Exchange server, ISA server ?

    Please for help with this issue. Any advice would be appreciated.

    neno.c



    • Edited by neno.c Wednesday, August 21, 2013 11:16 AM
    Wednesday, August 21, 2013 11:08 AM

All replies

  • Hi,

    Please follow the below articles to troubleshooting this issue:

    Event ID 5 — AD CS Registry Settings

    http://technet.microsoft.com/en-us/library/cc774527(v=ws.10).aspx

    Certificate Services may not start on a computer that is running Windows Server 2003 or Windows 2000

    http://support.microsoft.com/kb/842210

    Regards,

    Yan Li


    Cataleya Li
    TechNet Community Support

    Friday, August 23, 2013 3:07 AM
  • Thank You Yan Li,

    I've checked articles that you provided.

    According to first, there is missing key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SignatureAlgorithm but it applies on 2008 server, so I wasn't sure about it.

    Second support article I have passed earlier and couldn't restart certification services anyway.

    Now i uninstaled certification services and removed CA ("TCCA"),  -still didn't restarted server.  CA was used for OWA and two secondary DC's.

    I'm confused what should I do, restart server and try to reinstall CA , with same or different name ?

    or

    install CA on another DC ?

    Thank you for help.

    regards Neno

    Saturday, August 24, 2013 9:34 AM
  • Hello,

    with CA/Certificate problems you should better ask the experts in http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

    Be aware that running Exchange/CA on a DC is NOT recommended configuration. This should always be run on domain member servers.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, August 25, 2013 10:12 AM
  • I will do so.

    Thanks

    Monday, August 26, 2013 6:38 AM