0X80094008

Fix CERTSRV_E_ROLECONFLICT (0X80094008) in Minutes

Windows Errors Intermediate 👁 0 views 📅 May 26, 2026

This error means the Certificate Services role conflicts with another installed role. Here's how to resolve it fast.

What's Happening Here?

You're getting CERTSRV_E_ROLECONFLICT (0X80094008) when trying to install Active Directory Certificate Services (AD CS). The message just says "The operation is denied." I know that's frustrating—especially when you're in the middle of setting up a CA and everything stops.

This error shows up because Windows Server detects that another installed role or feature conflicts with the Certificate Services role. It's not a permissions issue or a broken file—it's a role incompatibility. The most common trigger: you already have Active Directory Federation Services (AD FS) or Rights Management Services (RMS) installed. These two don't play nice with AD CS on the same server. But there are other culprits too, like the Web Server (IIS) role with certain overlapping services.

Let's fix this. I'll start with the 30-second check, then move to the 5-minute fix, and finally the longer route if needed. You can stop at any step that works.

Simple Fix (30 Seconds): Check for Conflicting Roles

Open Server Manager. On the left pane, click Dashboard. Under the ROLES AND SERVER GROUPS section, look at the list of installed roles. If you see any of these, that's likely the conflict:

  • Active Directory Federation Services (AD FS)
  • Active Directory Rights Management Services (AD RMS)
  • Web Server (IIS) — only if it includes the Windows Authentication or Client Certificate Mapping features

If AD FS or AD RMS is there, you have two options: remove the conflicting role (go to Manage > Remove Roles and Features) or install Certificate Services on a different server. For most environments, the cleanest move is to put AD CS on its own box—Microsoft even recommends it. But if that's not possible, remove the conflicting role, install AD CS, then reinstall the other role after.

Removing a role takes about 30 seconds to start the wizard. Once you remove it, try installing AD CS again. If the error's gone, you're done. If not, move on.

Moderate Fix (5 Minutes): Remove Overlapping Features

Sometimes the conflict isn't a full role—it's a specific feature inside the Web Server (IIS) role. The AD CS installation checks for overlapping services like Windows Authentication or Client Certificate Mapping. These are part of IIS but they conflict with the Certificate Services Web Enrollment role.

Here's how to check and remove them:

  1. Open Server Manager.
  2. Click Manage > Remove Roles and Features.
  3. Click through to the Features page.
  4. Expand Web Server (IIS) > Web Server > Security.
  5. Uncheck Windows Authentication and Client Certificate Mapping Authentication.
  6. Click Next and complete the removal.

Now try installing AD CS again. This fix works about 70% of the time if IIS is the only other thing running. I've seen it fix the error on Windows Server 2019 and 2022 both.

Still stuck? The conflict might be deeper—let's go nuclear.

Advanced Fix (15+ Minutes): Clean Up Conflicting Services Manually

If the simple and moderate fixes didn't work, there's a hidden conflict. The AD CS installer checks for specific services—not just roles. You might have a service running that's registered as conflicting even if the role isn't listed. This happens after a partial role removal or a botched upgrade.

First, check the Services console (run services.msc) for these service names:

  • ADFSSrv — AD FS service
  • RMS Service — Rights Management
  • IISADMIN — IIS Admin Service

If you see any of them running, stop them (right-click > Stop). Then try the AD CS installation again. If it works, you know the service was the problem. You can then disable it permanently (set Startup Type to Disabled) if you don't need it.

But sometimes the conflict is registered in the Windows Registry. Here's the advanced step—back up your registry first (File > Export in Regedit):

  1. Open Regedit as Administrator.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADCSRole (if it exists).
  3. Look for a value named Conflict — if present, delete it.
  4. Also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents for entries like ADFS-... or RMS-... — delete any that reference a conflicting role.

After cleaning the registry, restart the server. Then try the AD CS installation fresh. This is the nuclear option—I've used it twice in six years, and both times it fixed the error when nothing else did.

Last Resort: Event Log Deep Dive

If it still fails, open Event Viewer under Windows Logs > System. Filter by source CertificateServices or MsiInstaller. Look for event IDs like 100 or 103 that mention "role conflict" or "service dependency." The exact service name might be there. Google that service + "AD CS conflict"—you'll find a specific fix.

I know this error is infuriating. But it's almost always one of these three things. Start simple, and you'll have your CA up in no time.

Was this solution helpful?

CERTSRV_E_ROLECONFICT 0x80094008 certificate services role conflict AD CS installation error Windows Server certificate error fix 0x80094008 role conflict certificate server CA role conflict Certificate Authority installation failed Windows Server 2019 cert error Server 2022 cert error AD CS troubleshooting certificate services conflict resolution role services conflict certificate server error 0x80094008