Active Directory Certificate Services takes a long time to start/stop

Here's a small yet annoying case I worked on recently. I had two issuing CAs that seem to be healthy but took a heck of a long time for the the Active Directory Certificate Services service certsvc to start or stop.

The answer turned out to be in auditing. When we configured the CAs for auditing, we configured it to log all events. A list of events is availabe here

Configuring the CA to audit the event "Start and stop Active Directory Certificate Services (AD CS)" causes the delay in service start and stop. If your interest in fast startup time outweighs your interest in logging this event, you can either uncheck this event from the Audit tab of the CA properties, or if you're using a configuration script (CAConfig.bat), change the audit filter from 127 (audit all events) to 126  (audit all events but the service start/stop)

certutil -setreg CA\AuditFilter 127   certutil -setreg CA\AuditFilter 126

I hope this helps


Comments (0)

Skip to main content