Performance problems with auditing of "Start and stop Active Directory Certificate Services".

When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.

If this option is active, a checksum is calculated over the certification authority database when the certification authority service is stopped and started and written to the event log (events no. 4880 and 4881).

The duration of the calculation of this checksum depends on the size of the certification authority database. For a newly installed certification authority, this is still unproblematic due to the small database size.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

However, the larger the database becomes over time, the longer it takes to create the checksum. During this time, the certification authority service appears to "hang" - it remains in the "starting" or "stopping" state for several minutes. This can cause problems in the following situations in particular:

• When installing a Network Device Enrollment Service (NDES), see article "Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)". ", because during the installation the certificate authority service is restarted.
• During cluster switching, when a certification authority cluster is used. Since the goal of a cluster is uninterrupted availability, this option is therefore particularly counterproductive in this case.

The "Start and Stop Certificate Services" option should therefore only be activated if the event generated is also meaningfully evaluated, and the associated disadvantages are known and accepted.

This can be achieved very easily via the command line with the following command:

certutil -setreg CA\Auditfilter -1

Afterwards, the certification authority service must be restarted.

Related links:

• Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)".

External sources

• Installing NDES restarts CertSvc service on target CA server (Microsoft, archive.org)