When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.
If this option is active, a checksum is calculated over the certification authority database when the certification authority service is stopped and started and written to the event log (events no. 4880 and 4881).
The duration of the calculation of this checksum depends on the size of the certification authority database. For a newly installed certification authority, this is still unproblematic due to the small database size. However, the larger the database becomes over time, the longer it takes to generate the checksum. During this time, the certification authority service seems to "hang" - it remains in the "being started" or "being terminated" state, and may well do so for several minutes. This can cause problems especially in the following situations:
- When installing a Network Device Enrollment Service (NDES), see article "Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)". ", because during the installation the certificate authority service is restarted.
- During cluster switching, when a certification authority cluster is used. Since the goal of a cluster is uninterrupted availability, this option is therefore particularly counterproductive in this case.
The "Start and Stop Certificate Services" option should therefore only be activated if the event generated is also meaningfully evaluated, and the associated disadvantages are known and accepted.
Related links:
External sources
- Installing NDES restarts CertSvc service on target CA server (Microsoft, archive.org)
5 thoughts on “Performanceprobleme bei Auditierung von „Start and stop Active Directory Certificate Services“”
Comments are closed.