Solved: Error “Cannot Manage Active Directory Certificate Services”

Admins configuring Active Directory Certificate Services (AD CS) for their network may encounter the following error message:

Cannot manage active directory certificate services. The system cannot find the file specified: 0x800700002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

Fortunately, this error is usually easily fixed by retrying the Post Deployment Configuration process, which will replace the missing file and fix AD CS. Here’s a short guide to reconfiguring, as well as some alternative solutions in case that didn’t work.

Guide to Fixing “Cannot Manage Active Directory Certificate Services” Error

1. Run Post Deployment Configuration in Windows Server 2012 Manager.
   • A notification with a yellow warning triangle should be in the top corner of the window since your AD CS configuration is incomplete.
2. Choose admin credentials of sufficient permissions.
3. Select desired Role Services to configure.
   • At minimum, you will need Certificate Authority (CA) and an enrollment service.
4. Choose whichever type of CA you want to configure: Standalone or Enterprise. Then choose whether you want it to be the root CA or a subordinate CA.
   • Since you are setting up AD CS, it’s likely you don’t have a root CA yet and will need to choose that option.
5. Choose to create a new private key or use an existing one to set up the CA.
   • First time AD CS users should create a new private key.
6. Choose cryptography options. Unless you have a specific need, the default options are sufficient.
   • Note that SHA1 has not been secure since 2005.
7. Set certificate validity period.
   • Unlike passwords, certificates do not need to be rotated frequently. Industry standard certificate lifetime is 2-5 years.
8. Specify database locations.
   • Use the default location settings unless you have a specific need.

That concludes the CA configuration, though if you included other Role Services to configure there may be more steps.

Alternate Solutions

• Ensure that the Remote Registry Service is enabled (even if you don’t plan to use it). Choose the “Manual” setting and no further configuration is required.
• Confirm device date and time settings are accurate.
• If using Certificate Authority Web Enrollment, ensure that port 80/443 is open and unused.

SecureW2 as an Alternative to AD CS

The best solution for getting AD CS to work is to not use it at all. Even organizations with legacy Active Directory environments have better options for PKI authentication than AD CS. Federated directory services, like the one SecureW2 offers, allow you to clone your on-premise directory to the cloud so that you can integrate with secure, modern  cloud PKI infrastructure.

Since AD CS lacks most of the certificate enrollment and management features a real certificate management system (CMS) has anyway, it’s a win-win. Users will receive the security and user-experience enhancements of digital certificates and IT can enjoy a robust, fully-featured single pane management portal that allows you to see the entire network at a glance.

It’s likely that using SecureW2’s managed cloud PKI is cheaper than operating an on-premise PKI with AD and AD CS. We have affordable options for organizations of every size. Click here to see our prices.