Move the Certificate Server Database and Log Files
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Use these steps to change the location of the certificate server database and log files:
- Stop the Active Directory Certificate Services service.
- Copy the database files and log files to new location. The default database path is:
- Modify the database paths in the following registry entries to reflect the new path:
- Start the Certificate Services service.
- Check the Application event log for CertSvc event 26 to verify that the Certificate Services service started successfully.
A warning message is displayed if the service does not start successfully. If this occurs, check the syntax of the paths in the registry.
Note that you may need to edit the NTFS permissions to grant Full Control permissions to the System account. By default, the System account and the Administrators and Enterprise Administrators groups have Full Control access for the CertLog folder.
OF COURSE – Things aren’t always this easy…after a reboot my CA Cert Service did not want to start.
I found the following error when trying to start the service from the console window:
Bad signature for a log file 0x0 (WIN32: 0)
The event log (application) had errors complaining about three things:
1. certsrv.exe (784) Unable to read the header of logfile D:\newCertlog\edb027E0.log. Error -530.
2. certsrv.exe (784) Database recovery/restore failed with unexpected error -530.
3. Active Directory Certificate Services did not start: Unable to initialize the database connection for domain-servername-CA. Bad signature for a log file 0x0 (WIN32: 0).
This was how I fixed it using esentutl:
1. Make sure that the Certificate service is stopped. Open Windows Explorer. Navigate to %systemroot%\system32\certlog\ Make a copy of all files in this folder.
NOTE: This step is very important. The troubleshooting steps could cause further corruption on the CA database.
2. Run esentutl (from administrative cmd prompt)
First to repair: ESENTUTL /p D:\newCertlog\<CA Name>.edb
Then to check integrity: ESENTUTL /g D:\newCertlog\<CA Name>.edb
3. Delete all files except <CA Name>.edb from the folder.
4. Try to start the ‘Certificate Services’ from services console. (I opened an administrative cmd prompt and ran net start certsvc )