Q: Why won't Active Directory Certificate Services service start?

A: The Active Directory Certificate Services (AD CS) PKI solution uses the Extensible Storage Engine (ESE)/Jet database, which consists of the actual database file, the .edb file, and several log files. If you have a hardware problem, it's possible that log files could become corrupt. When you try to start the AD CS service, you receive a corrupt log file error (see screenshot below):


To resolve this, you need to try a few actions.

First, perform an integrity check on the actual database that's stored in the %systemroot%System32Certlog folder. To perform this check, use the esentutl tool and the /g switch (change the edb file name to the edb file name in your Certlog folder):

C:WindowsSystem32CertLog>esentutl /g savilltech-SAVDALDC10-CA:edb

Here's an example of what it returns:

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.1
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating INTEGRITY mode...
Database: savilltech-SAVDALDC10-CA:edb
Temp. Database: TEMPINTEG3292.EDB

Checking database integrity.

Scanning Status (% complete)

0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................

Integrity check successful. Operation completed successfully in 0.156 seconds.

If there's a problem with your database, rerun the above command, but change /g to /p. This will perform a repair. Next, attempt a recovery for all files and logs in the current folder. This might resolve the problem:

C:WindowsSystem32CertLog>esentutl /r edb

You will see something similar to this returned:

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.1
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating RECOVERY mode...
Logfile base name: edb
Log files:
System files:

Performing soft recovery...
Restore Status (% complete)

0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
..................

Operation terminated with error -501 (JET_errLogFileCorrupt, Log file is corrupt
) after 0.93 seconds.

In this case the recovery couldn't fix the log file error.

The next action would be to perform a restoration from a backup, or you could  try deleting the log files, then starting the service. In most cases, the data in the log should have been written to the database, so no data should be lost.

However, there is always a risk, so a restoration from backup would be preferred. If you have no backup, then just delete the log files in the folder and start the AD CS service. It should now start without a problem.

To see more FAQs, please go to John Savill's FAQs page on Windows IT Pro.