I recently decommissinoed a Root CA to install a fresh Root CA and I followed everything from this guide: http://support.microsoft.com/kb/889250. Except, I also deleted the OIDs. I figured it would re-create itself if it was really needed the next time I installed the AD CS role. Now when I install a Root CA on my DC, I get errors, and the service doesn't start. Whenever I try to manually start the service, it says, "Cannot complete this function." I found this post http://blogs.technet.com/b/askds/archive/2009/03/05/successful-errors-installing-windows-server-2008-certificate-authority.aspx and tried installing/uninstalling AD CS multiple times, still no luck. Domain Admins and Enterprise Admins have Full Control on Public Key Services and child containers inherit permissions from it. How can I install a working/clean Root CA without having to format and re-install Windows Server 2008? Thomas

Check this article. You can post your query on Security Forum. Thanks

Hello, I think it will be better to post in Security Forums: http://social.technet.microsoft.com/Forums/en-US/ocssecurity/threads http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Hi Customer, Please use adsiedit.msc to check the permission on "CN=Public Key Service,CN=Services,CN=Configuration,DC=Domain,DC=Com", make sure that Enterprise admin and domain admin have full control. Cannot Install Enterprise Certification Authority On Windows 2008 http://blogs.technet.com/b/niraj_kumar/archive/2009/04/23/cannot-install-enterprise-certification-authority-on-windows-2008.aspxRegards, Rick Tan

In CN=Public Key Service,CN=Services,CN=Configuration,DC=Domain,DC=Com, Domain Admins and Enterprise Admins have Full Control.

Hi Customer, I give your below suggestions that wish it helpful to you. Please use Enterprise Admins account to install root CA. Please check registry key HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>\setupstatus and security value, is like blog describe? Please try to create new private key as a root CA, name not same as the old one Please try to install CA on another DC if you have Please post your CA event log error from your DC. Regards, Rick Tan

Registry key for SetupStatus is REG_DWORD with a value of 0x00006040 (24640). Registry key for Security is REG_BINARY with a value of 01 00 14 84 20 01 00 00 30 01 00 00 14 00 00 00 44 0.... I don't know what values I should change those registries to. I just re-installed the Certificate Services with a new private key and a new CA name, still got the same error. I have tried installing an Enterprise Root CA on a domain member server, and I got the same error message when trying to start the Active Directory Certificate Services, "Windows could not start the Active Directory Certificate Services service on Local Computer. Error 1003: Cannot complete this function." This was the event for the Application Events: This was the event for the System Events: I did some Googling and found out that CLSID {D99E6E73-FC88-11D0-B498-00A0C90312F3} is related to the CertSvc service, and I stumbled upon this page: http://social.technet.microsoft.com/Forums/en-GB/winserversecurity/thread/4e74b829-4868-48ae-a5ba-cd2dc00af932, which also led me to this page, http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/239741f3-1ce7-476b-88b0-860d5e1724d2. I restarted the server but I'm still getting the same error.

Problem solved. I found the registry key for the Certificate Service service and I just deleted it. I figured re-installing would create a new one. These are the steps I took to install a clean AD CS: 1. I decommissioned my Root CA by following this guide: http://support.microsoft.com/kb/889250 2. Went into Administrative Tools > ADSI Edit > Deleted the CN=Public Key Service,CN=Services,CN=Configuration,DC=Domain,DC=Com container 3. Went into Regedit.exe > HKLM/Software/Classes/AppID > Deleted the {D99E6E74-FC88-11D0-B498-00A0C90312F3} key which is CertSrv 4. I re-created the CN=Public Key Services container in ADSI Edit by following this guide: http://support.microsoft.com/kb/938613 5. And then I was able to install a fresh Active Directory Certificate Services role without any errors, and the service starts fine. Thanks Rick for trying to help me troubleshoot.