lyon-it
asked on
We're getting Event ID 20, Source KDC
Hello,
We have a total of 4 Domain Controllers in our environment. All running 2003 SP2.
On 1 DC I'm getting these KDC errors in my system event log. I rebooted the server.
Event ID 20
Source KDC
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
Any ideas?
Thanks,
We have a total of 4 Domain Controllers in our environment. All running 2003 SP2.
On 1 DC I'm getting these KDC errors in my system event log. I rebooted the server.
Event ID 20
Source KDC
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
Any ideas?
Thanks,
Have you reviewed this article?
http://support.microsoft.com/kb/939088
http://support.microsoft.com/kb/939088
ASKER
Yes, I looked at the article, but I'm not sure what that commant does exactly? Does it only delete invalid domain certs? I guess I'm just paranoid I'll make things worse.
Thanks,
John
Thanks,
John
Certutil -dcinfo deleteBad
The "deletebad" option will sort out the bad certs from the good.
John
The "deletebad" option will sort out the bad certs from the good.
John
The question is, was a CA removed from a DC?
ASKER
I don't think a CA was removed from this DC. The article also says it should be a DC that does not have a CA installed. It does have a CA.
Oh, wait a second:
Are you running symantec end point protection? A firewall can also prevent you from contacting and binding to the RPC server:
And I suppose we should have checked the obvious. Is the RPC service started on the DC?
There are other software that could prevent you from running RPC>>
http://support.microsoft.com/?id=839880
Yours seems to be related to a bad CA cert. But, you said you didn't remove CA. I am thinking we should try an delete bad certs as mentionend above. Could this have expired?
Certutil -dcinfo deleteBad
Are you running symantec end point protection? A firewall can also prevent you from contacting and binding to the RPC server:
And I suppose we should have checked the obvious. Is the RPC service started on the DC?
There are other software that could prevent you from running RPC>>
http://support.microsoft.com/?id=839880
Yours seems to be related to a bad CA cert. But, you said you didn't remove CA. I am thinking we should try an delete bad certs as mentionend above. Could this have expired?
Certutil -dcinfo deleteBad
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I edited this question from yesterday. I'm looking for help on this one Event ID in my system log.
Thanks