Move the Certificate Server Database and Log Files

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Use these steps to change the location of the certificate server database and log files:

  1. Stop the Active Directory Certificate Services service.
  2. Copy the database files and log files to new location. The default database path is:
    %SystemRoot%\System32\CertLog
  3. Modify the database paths in the following registry entries to reflect the new path:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBDirectory

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBLogDirectory

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBSystemDirectory

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBTempDirectory

  4. Start the Certificate Services service.
  5. Check the Application event log for CertSvc event 26 to verify that the Certificate Services service started successfully.

A warning message is displayed if the service does not start successfully. If this occurs, check the syntax of the paths in the registry.

Note that you may need to edit the NTFS permissions to grant Full Control permissions to the System account. By default, the System account and the Administrators and Enterprise Administrators groups have Full Control access for the CertLog folder.

Reference:
http://support.microsoft.com/kb/283193

OF COURSE – Things aren’t always this easy…after a reboot my CA Cert Service did not want to start.
I found the following error when trying to start the service from the console window:
Bad signature for a log file 0x0 (WIN32: 0)

The event log (application) had errors complaining about three things:
1. certsrv.exe (784) Unable to read the header of logfile D:\newCertlog\edb027E0.log. Error -530.
2. certsrv.exe (784) Database recovery/restore failed with unexpected error -530.
3. Active Directory Certificate Services did not start: Unable to initialize the database connection for domain-servername-CA. Bad signature for a log file 0x0 (WIN32: 0).

This was how I fixed it using esentutl:

1. Make sure that the Certificate service is stopped. Open Windows Explorer. Navigate to %systemroot%\system32\certlog\ Make a copy of all files in this folder.

NOTE: This step is very important. The troubleshooting steps could cause further corruption on the CA database.

2. Run esentutl (from administrative cmd prompt)
First to repair: ESENTUTL /p D:\newCertlog\<CA Name>.edb
Then to check integrity: ESENTUTL /g D:\newCertlog\<CA Name>.edb

3. Delete all files except <CA Name>.edb from the folder.

4. Try to start the ‘Certificate Services’ from services console. (I opened an administrative cmd prompt and ran net start certsvc )

Good luck!

Reference:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4f929d34-c9ca-4ad4-863a-dcda95e9f0e9/root-ca-startup-error?forum=winservergen

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s