Udostępnij za pośrednictwem


Tweaking ADCS performance

The default settings for ADCS are fine for smaller installations - however, once your CA database goes beyond the toddler stage and starts exceeding a few gigabytes you should consider tweaking a few knobs on it for better performance.

Avoid ticking auditing for Startup/Shutdown of the ADCS service (this causes a hashing of the database to occur during startup and shutdown which increases startup/shutdown times respectively).

See http://blogs.technet.com/b/instan/archive/2012/10/27/installing-ndes-restarts-certsvc-service-on-target-ca-server.aspx for details.

 

Increase the memory for version pages:

 The default values for version pages may not be sufficient for long-running queries.
Note: the caveat of using higher values for this will increase speed which the transaction logs for the CA database will fill up, so make sure you are not running low on diskpace on the drive hosting the CA DB logs and that your CA is being successfully backed up regularly so that the logs are truncated if you increase this setting.

The DBSessionCount registry value will increase the memory for version pages:

HKLMSYSTEMCurrentControlSetServicesCertSvcConfigurationDBSessionCount

by default it is set to 64 hex (100 Dec).  Inofficial tests have been run successfully up to 300.
In W2k8 and W2k3 this defaulted to a much lower value, 20 (hex).

Related error messages that indicate you are running with a too low value for DBSessionCount:

CertSvc Event ID 22: Certificate Services could not process request 9699144 due to an error: lMaxVerPages exceeded (XJET only) 0xc800042d (ESE: -1069). The request was for ....

ESENT Event ID 623: certsrv.exe (15192) The version store for this instance (0) has reached its maximum size of 20Mb. It is likely that a long-running transaction is preventing cleanup of the version store and causing it to build up in size. Updates will be rejected until the long-running transaction has been completely committed or rolled back.

 

Increase the ViewAgeMinutes and ViewIdleMinutes registry keys to allow for longer-running queries in Certutil (or the MMC):

When you run a Query through the MMC or via Certutil, a timer kicks off for the view generated for the application.  If the Query isn't completed within the timerange specified in ViewAgeMinutes or if no activity is being performed by the application for the amount of time specified in ViewIdleMinutes then the view is garbage collected.
 

HKLMSystemCurrentControlSetservicesCertSvcConfiguration<NAME_OF_YOUR_CA>

ViewAgeMinutes (REG_DWORD) Default = 16
ViewIdleMinutes (REG_DWORD) Default = 8

The actual values should be higher than the maximum amount of time your Query takes to run.

Related error messages that indicate you are timing out on views:

In Certutil: ** "The handle is invalid. 0x800700006 (WIN32:6)"

 

Further details:

Tuning CA Database Performance
http://technet.microsoft.com/en-us/library/cc776911(v=WS.10).aspx

The Case of the Enormous CA Database
http://blogs.technet.com/b/askds/archive/2010/08.aspx?PageIndex=1

Comments

  • Anonymous
    July 15, 2013
    "by default it is set to 64 hex (100 Dec).  Inofficial tests have been run successfully up to 300." - its really work for "ESENT Event ID 623: certsrv.exe (15192) The version store for this instance (0) has reached its maximum size of 20Mb."