Fix CERTSRV_E_NO_DB_SESSIONS (0x8009400F) on CA

You're running a Windows Server 2019 or 2022 Active Directory Certificate Services (ADCS) environment. Maybe it's a busy enterprise CA handling smartcard logons or machine certificate autoenrollment. Suddenly, certificate requests start failing. You check the CA Event Viewer and see CERTSRV_E_NO_DB_SESSIONS (0x8009400F). The exact message: "An attempt was made to open a CA database session, but there are already too many active sessions."

This tripped me up the first time too. I thought the database was corrupt—it wasn't. The CA database uses a fixed pool of internal sessions (think of them as open connections) to handle requests. When too many certificates are being issued simultaneously, or a rogue client is hammering the CA, you exhaust that pool. The CA can't open a new session to log the request, so it bails with this error.

Root Cause: Session Pool Exhaustion

The CA database engine (Jet Blue, same one used by Exchange and WDS) has a default maximum of 20 sessions. Each certificate request, revocation check, or CRL update uses one. Under normal load, 20 is plenty. But when you've got hundreds of autoenrollment requests firing at once—say, after a GPO change pushes a new certificate template—the pool empties. The CA rejects new requests until a session frees up.

I've also seen this happen after a failed backup or restore left orphaned sessions. That's rarer, but worth knowing.

Fix: Increase the Session Limit

You've got two options. The quick restart works if this is a one-time spike. But if it keeps happening, you need to bump up the limit permanently. I recommend the permanent fix first—it takes 5 minutes and prevents recurrence.

Stop the CA service
Open PowerShell as Administrator and run:
```
Stop-Service CertSvc
```
Or use Services.msc and stop "Active Directory Certificate Services".
Back up the registry key
Before editing, export this key:
```
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration
```
Right-click it in regedit → Export. Save it somewhere safe.
Add the MaxSessions value
Navigate to:
```
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration
```
Create a new DWORD (32-bit) named MaxSessions. Set its value to 100 (decimal). That's a safe ceiling—I've never needed more than 100 even on a CA issuing 10,000 certs a day.
Restart the CA service
```
Start-Service CertSvc
```
Wait 30 seconds for the database to reinitialize.
Test enrollment
Submit a certificate request manually via the Certificates MMC or certreq -new. If it succeeds, you're good.

Alternative: Restart the Service (Temporary Fix)

If you're in a pinch and just need to clear the backlog fast:

Restart-Service CertSvc

This kills all active sessions and resets the pool to 20. It'll work for a few hours, but the error will return under heavy load. Only use this if you can't reboot or edit the registry right now.

What to Check If It Still Fails

If the error persists after bumping MaxSessions to 100, something else is wrong. Here's what I'd check:

Orphaned sessions — A previous crash may have left sessions hanging. Run netstat -ano | findstr 135 to see if RPC connections are piling up. A reboot of the CA server clears these.
Database corruption — Run esentutl /g %windir%\system32\certsrv\certlog\edb.log. If it reports errors, you'll need to restore from backup. The session limit increase won't help.
Faulty client — Check the CA's request log for a single IP sending hundreds of requests. That's likely a misconfigured autoenrollment GPO or a rogue device. Block it at the firewall temporarily.
Resource limits — Low memory or disk I/O can starve the database engine. Monitor certutil -view for queue depth. If you see more than 50 pending requests, your CA might be underpowered.

I've fixed this exact error on five different CAs over the years. Increase MaxSessions to 100—it's the real fix. Don't overdo it; 200+ can cause memory pressure on older hardware.