Hello forum,I have a very strange problem and can't find an answer. Let me please first describe my enviroment:I have a W2K8-Server, who is also working as an CA for some MObile Clients connecting to our MS Active Sync. Two weeks ago I installed another server in my AD, which acts as an backup server and is also DC. In the eventlog I found messages (some a day), that the new server has problems to get a certificate from my CA like this: - System - Provider [ Name] Microsoft-Windows-CertificateServicesClient-CertEnroll [ Guid] {54164045-7C50-4905-963F-E5BC1EEF0CCA} [ EventSourceName] CertEnroll - EventID 13 [ Qualifiers] 49754 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2010-01-16T00:12:33.000Z EventRecordID 3271 Correlation - Execution [ ProcessID] 0 [ ThreadID] 0 Channel Application Computer HKDKBA01.hkd.intern - Security [ UserID] S-1-5-18 - EventData Context Lokales System TemplateName DomainController CA ZS.hkd.intern\hkd-ZS-CA ErrorCode Der RPC-Server ist nicht verfügbar. 0x800706ba (WIN32: 1722) The message in the eventlog was like this: "Die Zertifikatsregistrierung für Lokales System konnte sich nicht für ein Zertifikat DomainController von ZS.example.intern\hkd-example-CA (Der RPC-Server ist nicht verfügbar. 0x800706ba (WIN32: 1722)) registrieren." 1. "certsrv.exe (8876) Das Datenbankmodul (6.00.6002.0000) hat eine neue Instanz gestartet (0)."2. "Die Active Directory-Zertifikatdienste wurden nicht gestartet: Das aktuelle Zertifizierungsstellenzertifikat konnte nicht geladen bzw. verifiziert werden. example-ZS-CA Das Objekt wurde nicht gefunden. 0x80090011 (-2146893807)." 3. "certsrv.exe (8876) Das Datenbankmodul hat die Instanz (0) beendet." This means in english: "local certificate registration is unable to register for a domain controller certificate from the CA"I tried to find this error in the internet and eventualy found a hint, that the problem may be the group "CERT_DCOM_ACCESS". Sometimes, the group "Domain Controllers" is missing in this DCOM-ACCESS-Group, so the effect is, that domain controller are not able to auto enroll for their certs.I then added the domain controller group to CERT_DCMO_ACCESS and restartet the Certification Server certsrv.exe - and here the trouble startet: I was only able to stop the service but not to start ist anymore.In the evenlog I see there entries: The second entry in englisch is event id 100, meaning: "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate". I tried everything pointed out in this article: http://technet.microsoft.com/en-us/library/cc774550(WS.10).aspx but with no result. I also tried to isolate the error with the programm certutil.exe and this are my results:c:\Windows\System32\CertSrv\CertEnroll>certutil -verifykeys452.711.0: 0x80090011 (-2146893807): example-ZS-CA315.487.0: 0x80090011 (-2146893807): Microsoft Software Key Storage ProviderLoadKeys hat Das Objekt wurde nicht gefunden. 0x80090011 (-2146893807) zurückgegeben.315.722.0: 0x80090011 (-2146893807)315.926.0: 0x80090011 (-2146893807)315.993.0: 0x80090011 (-2146893807)CertUtil: -verifykeys-Befehl ist fehlgeschlagen: 0x80090011 (-2146893807)CertUtil: Das Objekt wurde nicht gefunden.301.3370.0: 0x80090011 (-2146893807) c:\Windows\System32\CertSrv\CertEnroll>certutil is saying: "the object cannot be found" I tried this command while watching it with the process monitorm, but I was not able to find any "file not found" message while running.Another strange think is teh result of my tries to repair the store:c:\Windows\System32\CertSrv\CertEnroll>certutil -f -repairstore my "07 64 5f e075 3b c2 9c 9b d2 ba 39 c4 0d 85 96 21 ee b0 d9"my================ Zertifikat 4 ================Seriennummer: 7ec0556b6e0929a34bf78c707227096aAussteller: CN=example-ZS-CA, DC=example, DC=internNicht vor: 22.09.2009 11:59Nicht nach: 22.09.2014 12:09Antragsteller: CN=example-ZS-CA, DC=example, DC=internVersion der Zertifizierungsstelle: V0.0Signatur stimmt mit dem öffentlichen Schlüssel überein.Stammzertifikat: Antragsteller stimmt mit Aussteller übereinZertifikathash(sha1): 07 64 5f e0 75 3b c2 9c 9b d2 ba 39 c4 0d 85 96 21 ee b0 d9313.918.0: 0x80090010 (-2146893808)313.1532.0: 0x80090010 (-2146893808) Schlüsselcontainer = example-ZS-CA452.711.0: 0x80090011 (-2146893807): example-ZS-CA308.3901.0: 0x80090011 (-2146893807): Exception at d:\longhorn\ds\security\services\ca\fs\crypto\cngcryptofactory.cpp(421): NCryptOpenKey(hProv, &hKey, pwszKeyName, nLegacyKeySpec, acquireToOpenKeyFlags(fAcquire))HRESULT = 0x80090011 Anbieter = Microsoft Software Key Storage Provider308.4030.0: 0x80090011 (-2146893807)Der Verschlüsselungstest ist fehlgeschlagen.313.1572.0: 0x80090011 (-2146893807)313.1629.0: 0x80090010 (-2146893808)313.1980.0: 0x80090010 (-2146893808)313.2425.0: 0x80090010 (-2146893808)313.4090.0: 0x80090010 (-2146893808): 07 64 5f e0 75 3b c2 9c 9b d2 ba 39 c4 0d85 96 21 ee b0 d9313.4100.0: 0x80090010 (-2146893808)CertUtil: -repairstore-Befehl ist fehlgeschlagen: 0x80090010 (-2146893808)CertUtil: Zugriff verweigert301.3370.0: 0x80090010 (-2146893808) c:\Windows\System32\CertSrv\CertEnroll>If I am get this right:it opens the store...find the certificate, it is not expired...signatures fits to the public key...root-ca: applicant and issuer are identical ...and than the program throws an exception and I wonder how too interpret this: is there a "access denied" or "not found" while openeing a file or a regkey or is this really an error in the progam?But, the point is, I am getting out of ideas and maybe someone has another idea?Regards,Volker

We have the same problem... Any ideas?Best regards, Alexander Zirbes

reinstall the CA works for us. Best regards, Alexander Zirbes