Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

We're getting Event ID 20, Source KDC

Posted on 2008-06-18
8
1,005 Views
Last Modified: 2012-06-27
Hello,

We have a total of 4 Domain Controllers in our environment. All running 2003 SP2.

On 1 DC I'm getting these KDC errors in my system event log. I rebooted the server.

Event ID 20
Source KDC

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

Any ideas?

Thanks,

0
Comment
Question by:lyon-it
  • 5
  • 3
8 Comments
 

Author Comment

by:lyon-it
ID: 21822698
Hi,

I edited this question from yesterday. I'm looking for help on this one Event ID in my system log.
Thanks
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21824293
Have you reviewed this article?
http://support.microsoft.com/kb/939088
0
 

Author Comment

by:lyon-it
ID: 21826750
Yes, I looked at the article, but I'm not sure what that commant does exactly? Does it only delete invalid domain certs? I guess I'm just paranoid I'll make things worse.

Thanks,
John
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 21826910
Certutil -dcinfo deleteBad

The "deletebad" option will sort out the bad certs from the good.

John
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21826932
The question is, was a CA removed from a DC?
0
 

Author Comment

by:lyon-it
ID: 21827023
I don't think a CA was removed from this DC. The article also says it should be a DC that does not have a CA installed. It does have a CA.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21827654
Oh, wait a second:
Are you running symantec end point protection? A firewall can also prevent you from contacting and binding to the RPC server:


And I suppose we should have checked the obvious. Is the RPC service started on the DC?

There are other software that could prevent you from running RPC>>
http://support.microsoft.com/?id=839880

Yours seems to be related to a bad CA cert. But, you said you didn't remove CA. I am thinking we should try an delete bad certs as mentionend above. Could this have expired?
Certutil -dcinfo deleteBad

0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21828052
Why don't we try this:
I am currently working on two posts with what appears to be the same issue and we are making headway on the other post:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23490393.html
From eventID.net:
""A problematic CA and old data in the Active Directory PKI Container may also cause this problem on a Windows 2003 domain. Use PKIview.msc from the Windows 2003 Rescource kit to check the status of the CA. This can occur if the CA is removed from the network and a new one is added.

1) Install rktools, run the Microsoft Management Console, and add the standalone snap-in "Enterprise PKI".
2) Expand the console tree in the scope pane, click on your CA, and verify that all entries report OK.  If there is a problem, then this may be the cause. If the ones reporting bad are http://, verify that IIS 6.0 is configured properly and that anonymous access is granted to the CertEnroll website.
3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage AD Containers". Check each tab and remove any old CA information.
4) Reboot your server.""

This is a graphic user interface to look into these certs.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Forest Functionality Level 3 23
Issues with windows distributed file system 2 27
LOGINSERVER and nltest /dsgetdc 3 37
How does ADMT SID History work? 1 21
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question