Active Directory Certificate Services takes a long time to start/stop

Active Directory Certificate Services takes a long time to start/stop

  • Comments 1
  • Likes

Here's a small yet annoying case I worked on recently. I had two issuing CAs that seem to be healthy but took a heck of a long time for the the Active Directory Certificate Services service certsvc to start or stop.

The answer turned out to be in auditing. When we configured the CAs for auditing, we configured it to log all events. A list of events is availabe here http://technet.microsoft.com/en-us/library/cc772451(v=ws.10).aspx

Configuring the CA to audit the event "Start and stop Active Directory Certificate Services (AD CS)" causes the delay in service start and stop. If your interest in fast startup time outweighs your interest in logging this event, you can either uncheck this event from the Audit tab of the CA properties, or if you're using a configuration script (CAConfig.bat), change the audit filter from 127 (audit all events) to 126  (audit all events but the service start/stop)

certutil -setreg CA\AuditFilter 127   certutil -setreg CA\AuditFilter 126


I hope this helps

 

Comments
  • Thank you very much for this! Our CA was taking 20-25 minutes to reach a stopped state until we applied this setting!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment