none
Active Directory Certificate Service Service Restart Errors RRS feed

  • Question

  • I'm working on building a PKI on Server 2016. I've already deployed the design onto Server 2012 R2 and everything worked as expected.

    Building the same solution on Server 2016 and with all the CA's built/configured, OCSP has been deployed and the only odd behaviour I am seeing on Server 2016 is that I cannot issue the command to restart the services successfully via the scripts.

    After running through the scripts to configure the CA using various certutil commands the script gets to 

    net stop certsvc && net start certsvc

    What I see on the screen is:

    The Active Directory Certificate Services service is stopping.
    The Active Directory Certificate Services service was stopped successfully.

    The Active Directory Certificate Services service is starting.
    The Active Directory Certificate Services service was started successfully.

    However, when I check the CA service it is not running and when trying to start the service, it reports WIN32: 1749 RPC_S_DUPLICATE_ENDPOINT, and subsequent attempts report cannot access file, the file is locked or in use 0xc8000409 (ESE: -1032 JET_errFileAccessDenied.

    I have the AV exclusions in place for the database folder and the ADCS service to test that AV is not holding onto the file.

    When I monitor with resource monitor for the service it shows the service is terminating and seems to hold the file lock on the database for about 30 seconds after reporting the service has been stopped.

    This behaviour is the same on all the CAs on Server 2016 and is preventing me from installing NDES as the configuration times out and the installer fails reporting either RPC unavailable or the duplicate endpoint text.

    I came across an article that mentions turning off auditing to speed things up which I have tried and makes no difference. The database is tiny, only 4 certificates have been issued.

    Thanks in advance for any help.

    Matt...




    Thursday, September 26, 2019 10:25 AM

Answers

  • Hi Mark,

    Thanks for your reply, I identified the issue late on Friday, I just got around to posting up what I found and following this I was able to resolve the service restart issues and install NDES.

    For completeness to answer your questions

    1) There is a Luna HSM.

    2) Auditing is on, I did try and turn off auditing as per the article, the database is very small, about 1mb.

    The issue was that a patch was needed for the HSM client which I obtained from the vendor. I had already upgraded the client to the latest version and that did not fix the issue so I discounted the client initially.

    Problem: When stopping and then restarting the service the following error is reported "RPC_DUPLICATE_ENDPOINT"

    Cause: The issue occurs when the service is stopped and then restarted quickly.

    Reason: The Safenet KSP library does not release the service before it is started again resulting in the duplicate endpoint error message.

    I hope this information helps others should they encounter the same issue.

    Thanks to everyone for the suggestions.

    Tuesday, October 1, 2019 10:00 AM

All replies

  • Hi, 

    I think you should check if the DCOM/RPC port it's allowed

    https://blogs.technet.microsoft.com/pki/2010/06/25/firewall-rules-for-active-directory-certificate-services/


    Vote or mark as answer if you think useful

    Thursday, September 26, 2019 1:14 PM
  • Thanks, I believe that the communication between the servers is fine, when the NDES configuration begins it makes changes to the CA (for example, adding registry entries) and these require the ADCS service to be restarted to take effect. The ADCS service restart takes too long to perform the restart so the NDES configuration sees that the target CA is not available.

    I can see that changes are partially successful on the CA, the challenge seems to be related to the delay in shutting down the ADCS service and then restarting it.

    Thursday, September 26, 2019 1:56 PM
  • For completeness I retried the process with the firewalls disabled on both servers and the same outcome was observed.
    Thursday, September 26, 2019 2:22 PM
  • Hello Matt,

    Thank you for posting in our TechNet forum.

    We can try to resatrt the Active Directory Certificate Services on CA server.

    Right-click CA name->All Tasks->Start Service.


    If we can not start the service, what error message do we receive?

    Is our CA one-tier CA or two-tier CA?




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 27, 2019 3:50 AM
    Moderator
  • Thanks for the reply Daisy,

    It is a three-tier CA.

    If I stop the service and then try and start the service using the method you use above then I get these error.

    "The endpoint is a duplicate. 0x6cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)"

    When I try a second time then I get this error.

    "Cannot access file, the file is locked or in use 0xc8000408 (ESE: -1032 JET_errFileAccessDenied)"

    If i wait for 30 seconds I can start the service successfully.

    Using procmon I can see that the service reports terminated almost immediately, however in the background there are still tasks being performed and the CA database is not closed/released until about 30 seconds later.

    This behaviour is preventing me from installing NDES as the service restart issue causes the installation of NDES to fail.

    Thanks,

    Matt...

    Friday, September 27, 2019 9:43 AM
  • Two questions: 1) Is CA using a Luna HSM? 2) Do you have the Audit setting enabled for Stop/Start of the service? If yes, what size is your CA database?

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Monday, September 30, 2019 3:42 PM
  • Hi Mark,

    Thanks for your reply, I identified the issue late on Friday, I just got around to posting up what I found and following this I was able to resolve the service restart issues and install NDES.

    For completeness to answer your questions

    1) There is a Luna HSM.

    2) Auditing is on, I did try and turn off auditing as per the article, the database is very small, about 1mb.

    The issue was that a patch was needed for the HSM client which I obtained from the vendor. I had already upgraded the client to the latest version and that did not fix the issue so I discounted the client initially.

    Problem: When stopping and then restarting the service the following error is reported "RPC_DUPLICATE_ENDPOINT"

    Cause: The issue occurs when the service is stopped and then restarted quickly.

    Reason: The Safenet KSP library does not release the service before it is started again resulting in the duplicate endpoint error message.

    I hope this information helps others should they encounter the same issue.

    Thanks to everyone for the suggestions.

    Tuesday, October 1, 2019 10:00 AM
  • Oh good, my suspicion was the Luna Bug which you found. We have run into this many times.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Tuesday, October 1, 2019 10:17 AM
  • Thanks, I expected that the fix for that bug had been included in the latest release of the client software, the patch DLL predates the version of the DLL included in the version that I had deployed.
    Tuesday, October 1, 2019 12:16 PM
  • Matt, we are facing the same situation while installing the NDES server.

    We run Luna 7.4 software on Windows 2016 CA servers in front of Network HSM.

    I was playing around CA service and MMC console, you are absolutely right - if you issue "restart" on the CA services from "Services.msc" you can see the "The endpoint is a duplicate. 0x6cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)" event and CA won't start.

    Thank you very much for sharing the info, let's hope Thales/Gemalto will fix the issue shortly and release a patch.

    Monday, October 7, 2019 3:11 PM