Event ID - 30

Event Id30
SourceHRA
Description"The Health Registration Authority was unable to connect to the Certification Authority to remove expired records. The Certification Authority %1 denied the request with the following error: %2. Contact the Certification Authority administrator to check the permissions and for more information.%3"
Event InformationAccording to Microsoft :
Cause
This event is logged when the Health Registration Authority was unable to connect to the Certification Authority to remove expired records.
Resolution
Grant HRA permission to manage the CA server
Due to the short-lived nature of health certificates, the number of expired certificates in the CA database can be excessive. Therefore, it is important to monitor the size of the CA database carefully. By default, HRA will attempt to manage the CA database by periodically removing expired records. If your HRA and NAP CA are running on the same computer, Network Service must be granted permission to manage the CA. If your HRA and NAP CA are running on different computers, this permission must be granted to the computer name for your HRA server. If you use another method to maintain the CA database, you can disable HRA from performing this function.
This error condition indicates that HRA does not have the permission required to remove expired records from the CA database, or that the HRA server has lost connectivity to the CA server.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Grant permission to HRA to remove expired records
To grant permission to HRA to remove expired records from the CA database:
1.On the computer where Active Directory Certificate Services (AD CS) is installed, click Start, click Run, type certsrv.msc, and then press ENTER.
2.Right-click the common name for your CA, and then click Properties.
3.Click the Security tab, and then click Add.
4.If HRA is running on the CA server, under Enter the object names to select, type Network Service, and then click OK.
5.If HRA is running on a server other than the CA server, click Object Types, select the Computers check box, and then click OK. Under Enter the object names to select, type the DNS name of your HRA server, and then click OK.
6.Click the name of your HRA server, or click NETWORK SERVICE, and for Manage CA, select Allow.
7.Click OK, and then close the Certification Authority console.
Disable HRA from removing expired records
To disable HRA from removing expired records from the CA database:
1.On the computer where AD CS is installed, click Start, click Run, type regedit, and then press ENTER.
2.Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HCS registry key.
3.In the details pane, double-click CertDBCleanupInterval.
4.In the Edit DWORD dialog box, under Value data, the default value of 12c is displayed in hexadecimal notation.
5.Under Base, click Decimal. The value of Value data will change to 300, corresponding to the default CA database cleanup period of 300 seconds.
6.Under Value data, type the number 0, and then click OK.
7.Close the Registry Editor window.
Note: If you disable HRA from removing expired records from the CA database, you must use another method for managing the CA database.
Verify
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To verify that the CA servers are responding, and that AD CS and HRA are configured to issue health certificates:
1.On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
2.In the console tree, click Issued Certificates.
3.In the details pane, under Certificate Effective Date, confirm that health certificates are being issued with a current date.
4.In the console tree, click Failed Requests.
5.In the details pane, under Request Submission Date, confirm that there are no failed health certificate requests displayed with a current date.
6.In the console tree, click Pending Requests.
7.In the details pane, under Request Submission Date, confirm that there are no pending health certificate requests displayed with a current date.
To verify that HRA is successfully removing expired records from the CA database:
1.On the computer where AD CS is installed, click Start, and then click Command Prompt.
2.In the command window, type reg query hklm\software\microsoft\hcs, and then press ENTER.
3.In the command output, record the value of CertDBCleanupInterval. This is the time interval, in seconds, used by HRA to remove expired records from the CA database. The value is expressed in hexadecimal notation, and by default is set to 0x12c, which corresponds to 300 seconds.
4.Click Start, click Run, type certsrv.msc, and then press ENTER.
5.In the Certification Authority console tree, click Issued Certificates.
6.In the details pane, under Certificate Expiration Date, verify that no certificates have been expired for longer than the value of CertDBCleanupInterval.
Reference LinksEvent ID 30 from HRA

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh