?
Solved

We're getting Event ID 20, Source KDC

Posted on 2008-06-18
8
Medium Priority
?
1,008 Views
Last Modified: 2012-06-27
Hello,

We have a total of 4 Domain Controllers in our environment. All running 2003 SP2.

On 1 DC I'm getting these KDC errors in my system event log. I rebooted the server.

Event ID 20
Source KDC

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

Any ideas?

Thanks,

0
Comment
Question by:lyon-it
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 

Author Comment

by:lyon-it
ID: 21822698
Hi,

I edited this question from yesterday. I'm looking for help on this one Event ID in my system log.
Thanks
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21824293
Have you reviewed this article?
http://support.microsoft.com/kb/939088
0
 

Author Comment

by:lyon-it
ID: 21826750
Yes, I looked at the article, but I'm not sure what that commant does exactly? Does it only delete invalid domain certs? I guess I'm just paranoid I'll make things worse.

Thanks,
John
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 39

Expert Comment

by:ChiefIT
ID: 21826910
Certutil -dcinfo deleteBad

The "deletebad" option will sort out the bad certs from the good.

John
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21826932
The question is, was a CA removed from a DC?
0
 

Author Comment

by:lyon-it
ID: 21827023
I don't think a CA was removed from this DC. The article also says it should be a DC that does not have a CA installed. It does have a CA.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21827654
Oh, wait a second:
Are you running symantec end point protection? A firewall can also prevent you from contacting and binding to the RPC server:


And I suppose we should have checked the obvious. Is the RPC service started on the DC?

There are other software that could prevent you from running RPC>>
http://support.microsoft.com/?id=839880

Yours seems to be related to a bad CA cert. But, you said you didn't remove CA. I am thinking we should try an delete bad certs as mentionend above. Could this have expired?
Certutil -dcinfo deleteBad

0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 21828052
Why don't we try this:
I am currently working on two posts with what appears to be the same issue and we are making headway on the other post:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23490393.html
From eventID.net:
""A problematic CA and old data in the Active Directory PKI Container may also cause this problem on a Windows 2003 domain. Use PKIview.msc from the Windows 2003 Rescource kit to check the status of the CA. This can occur if the CA is removed from the network and a new one is added.

1) Install rktools, run the Microsoft Management Console, and add the standalone snap-in "Enterprise PKI".
2) Expand the console tree in the scope pane, click on your CA, and verify that all entries report OK.  If there is a problem, then this may be the cause. If the ones reporting bad are http://, verify that IIS 6.0 is configured properly and that anonymous access is granted to the CertEnroll website.
3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage AD Containers". Check each tab and remove any old CA information.
4) Reboot your server.""

This is a graphic user interface to look into these certs.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question