Collection Rule for event with source CertificationAuthority and ID 17 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.17
  • Description:  Certificate Services did not start: database connection.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Database Availability High Critical

Rule Knowledgebase

Summary

The certification authority (CA) database records all certificate transactions, including requests, the requester, and whether the request was granted or denied; information for the issued certificate, such as the private key, serial number, and expiration date; and information about revoked certificates. Problems accessing a CA database can prevent a CA from starting and functioning properly. 

Causes
This rule does not contain any causes.
Resolutions

Enable the connection between the CA and the certificates database

A certification authority (CA) needs to be able to connect to a certificates database file identified in the registry. To resolve this problem, confirm that the file identied in the registry exists, and if it does exist, that it has not been corrupted. 

To perform this procedure, you must have local administrator permission, or you must have been delegated the appropriate authority.

To enable the connection between the certification authority (CA) and the certificates database:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  • On the computer hosting the CA, click Start, type regedit, and then press ENTER.

  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.

  • Check the value data for the REG_SZ entries named DBLogDirectory, DBSystemDirectory, and DBTempDirectory. Then, confirm that the CA database files exist in these locations.

  • At a command prompt, type Esentutl.exe /g <databasename> and press ENTER to check for database corruption.

Replace databasename with the name of the database listed in the registry settings.

  • If the database has been corrupted, at a command prompt, type Esentutl /r <databasename> and press ENTER to correct the problem.

  • Restart Active Directory Certificate Services (AD CS).

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED