Solved

We're getting Event ID 20, Source KDC

Posted on 2008-06-18
8
999 Views
Last Modified: 2012-06-27
Hello,

We have a total of 4 Domain Controllers in our environment. All running 2003 SP2.

On 1 DC I'm getting these KDC errors in my system event log. I rebooted the server.

Event ID 20
Source KDC

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

Any ideas?

Thanks,

0
Comment
Question by:lyon-it
  • 5
  • 3
8 Comments
 

Author Comment

by:lyon-it
ID: 21822698
Hi,

I edited this question from yesterday. I'm looking for help on this one Event ID in my system log.
Thanks
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21824293
Have you reviewed this article?
http://support.microsoft.com/kb/939088
0
 

Author Comment

by:lyon-it
ID: 21826750
Yes, I looked at the article, but I'm not sure what that commant does exactly? Does it only delete invalid domain certs? I guess I'm just paranoid I'll make things worse.

Thanks,
John
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21826910
Certutil -dcinfo deleteBad

The "deletebad" option will sort out the bad certs from the good.

John
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21826932
The question is, was a CA removed from a DC?
0
 

Author Comment

by:lyon-it
ID: 21827023
I don't think a CA was removed from this DC. The article also says it should be a DC that does not have a CA installed. It does have a CA.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21827654
Oh, wait a second:
Are you running symantec end point protection? A firewall can also prevent you from contacting and binding to the RPC server:


And I suppose we should have checked the obvious. Is the RPC service started on the DC?

There are other software that could prevent you from running RPC>>
http://support.microsoft.com/?id=839880

Yours seems to be related to a bad CA cert. But, you said you didn't remove CA. I am thinking we should try an delete bad certs as mentionend above. Could this have expired?
Certutil -dcinfo deleteBad

0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 21828052
Why don't we try this:
I am currently working on two posts with what appears to be the same issue and we are making headway on the other post:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23490393.html
From eventID.net:
""A problematic CA and old data in the Active Directory PKI Container may also cause this problem on a Windows 2003 domain. Use PKIview.msc from the Windows 2003 Rescource kit to check the status of the CA. This can occur if the CA is removed from the network and a new one is added.

1) Install rktools, run the Microsoft Management Console, and add the standalone snap-in "Enterprise PKI".
2) Expand the console tree in the scope pane, click on your CA, and verify that all entries report OK.  If there is a problem, then this may be the cause. If the ones reporting bad are http://, verify that IIS 6.0 is configured properly and that anonymous access is granted to the CertEnroll website.
3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage AD Containers". Check each tab and remove any old CA information.
4) Reboot your server.""

This is a graphic user interface to look into these certs.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now