Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

We're getting Event ID 20, Source KDC

Posted on 2008-06-18
8
Medium Priority
?
1,009 Views
Last Modified: 2012-06-27
Hello,

We have a total of 4 Domain Controllers in our environment. All running 2003 SP2.

On 1 DC I'm getting these KDC errors in my system event log. I rebooted the server.

Event ID 20
Source KDC

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

Any ideas?

Thanks,

0
Comment
Question by:lyon-it
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:lyon-it
ID: 21822698
Hi,

I edited this question from yesterday. I'm looking for help on this one Event ID in my system log.
Thanks
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21824293
Have you reviewed this article?
http://support.microsoft.com/kb/939088
0
 

Author Comment

by:lyon-it
ID: 21826750
Yes, I looked at the article, but I'm not sure what that commant does exactly? Does it only delete invalid domain certs? I guess I'm just paranoid I'll make things worse.

Thanks,
John
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:ChiefIT
ID: 21826910
Certutil -dcinfo deleteBad

The "deletebad" option will sort out the bad certs from the good.

John
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21826932
The question is, was a CA removed from a DC?
0
 

Author Comment

by:lyon-it
ID: 21827023
I don't think a CA was removed from this DC. The article also says it should be a DC that does not have a CA installed. It does have a CA.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21827654
Oh, wait a second:
Are you running symantec end point protection? A firewall can also prevent you from contacting and binding to the RPC server:


And I suppose we should have checked the obvious. Is the RPC service started on the DC?

There are other software that could prevent you from running RPC>>
http://support.microsoft.com/?id=839880

Yours seems to be related to a bad CA cert. But, you said you didn't remove CA. I am thinking we should try an delete bad certs as mentionend above. Could this have expired?
Certutil -dcinfo deleteBad

0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 21828052
Why don't we try this:
I am currently working on two posts with what appears to be the same issue and we are making headway on the other post:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23490393.html
From eventID.net:
""A problematic CA and old data in the Active Directory PKI Container may also cause this problem on a Windows 2003 domain. Use PKIview.msc from the Windows 2003 Rescource kit to check the status of the CA. This can occur if the CA is removed from the network and a new one is added.

1) Install rktools, run the Microsoft Management Console, and add the standalone snap-in "Enterprise PKI".
2) Expand the console tree in the scope pane, click on your CA, and verify that all entries report OK.  If there is a problem, then this may be the cause. If the ones reporting bad are http://, verify that IIS 6.0 is configured properly and that anonymous access is granted to the CertEnroll website.
3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage AD Containers". Check each tab and remove any old CA information.
4) Reboot your server.""

This is a graphic user interface to look into these certs.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question