Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.
Ensure that AD CS can publish the CA certificate to the NTAuth store
To resolve this problem:
Confirm permissions on the NTAuth store.
Check the NTAuth store and, if necessary, publish the certification authority (CA) certificate manually.
If you have trouble locating the CA certificate in order to publish it to the NTAuth store, use the procedure in the "Locate the CA certificate file on a computer" section before publishing it to the NTAuth store.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Confirm NTAuth store permissions
To check the permissions of the CA on the NTAuth container:
On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.
On the View menu, click Show Services Node.
Double-click Services, double-click Public Key Services, right-click NTAuthCertificates, and click Properties.
Click the Security tab, and then confirm that the computer hosting the CA has Read permissions.
Confirm contents of the NTAuth store
To check the contents of the NTAuth store in Active Directory Domain Services (AD DS):
At a command prompt, type certutil -viewstore ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com> and press ENTER. Replace <contoso> and <com> with the namespace of your Active Directory root domain.
If the CA certificate is not listed in the output, add it manually by typing the following command: certutil -dspublish <cert.cer> ntauthca and pressing ENTER.Replace <cert.cer> with the CA certificate file.
Locate the CA certificate file on a computer
To locate the CA certificate file on the local file system:
Open a command prompt window.
Type certutil -getreg CA\CACertPublicationURLs and press ENTER.
By default, this file is stored in %systemroot%\system32\certsrv\certenroll.