Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Kerberos Key Distribution Center Hung On Starting - and a certificate error

Posted on 2009-03-31
4
Medium Priority
?
1,266 Views
Last Modified: 2012-05-06
Hi there.
I'm running main and backup DCs for our domain - both boxes running 2k3 Standard w/ SP 2. When I reboot these boxes, I get long pauses during reboot and the event 7022 message that 'The Kerberos Key Distribution Center hung on starting.'. Kerberos services are running successfully on both boxes, and can be stopped and started without an issue. When I run certutil -dcinfo verify, the error I see is the following:

Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)

with the ending message being:

The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

I've gotten fresh certificates from my local CA (which is one of the boxes in question) and all seems normal when viewing them with the Certificates snap-in, but I'm really at a loss for an appropriate next step. The CERTSVC_DCOM_ACCESS group has the appropriate membership and I'm a bit puzzled.

Any info or words of wisdom would be greatly appreciated.
thanks!
Russ
0
Comment
Question by:rharland2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24032979
try this:
certutil -dcinfo deletebad
(attempt to validate all the DC certificates issued to the domain controllers. Certificates that fail to validate will be removed)
certutil -pulse
(will refresh the CA advertisements to AD)
on the DC:
gpupdate /force


You can also set up PKI Health Tool (pkiview.msc) from the 2003 support tools kit.  See if everything checks out there.

Just to verify with the certsrv_dcom_access - is the CA installed on a DC or on a dedicated (or at least non-DC) box?  If on a DC, then that group should be in AD and should contain domain users, domain computers, and domain controllers - you may need to add domain controllers group unless you already did (which I would assume based on your comment).  If not on a DC, then this should not be necessary and it should be a local group on the CA.
0
 
LVL 11

Author Comment

by:rharland2009
ID: 24076994
Thanks for your reply. The plot thickens! I was checking a few things out and was about to run these commands when I noticed that there are *two* boxes set up as CAs right now on this network! One is the 'original' CA - a non-DC Windows 2000 Server box that I understood was the only CA in the building. The second CA is one of the DCs! This is a tad confusing, but I inherited this network and its foibles some time ago, and weirdness pops up from time to time.
I've never really encountered something like this. PKI Health Tool shows two old offline CAs and the present ones - with errors downloading one of the CRLs. Man, what a mess.
At this point, I'm beginning to think that I need to start over with one clean CA. Not even sure where to start. Gah!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 2000 total points
ID: 24081550
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Make sure to check to see what certs are already issued so you can migrate them to the proper CA.  Having a CA on a DC is not good security practice and really gets in the way in a number of circumstances.

This is assuming that both were set up as root CA's and that one was not the subordinate of the other.

Let me know if there is more that I can help with...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question