Solved

Kerberos Key Distribution Center Hung On Starting - and a certificate error

Posted on 2009-03-31
4
1,251 Views
Last Modified: 2012-05-06
Hi there.
I'm running main and backup DCs for our domain - both boxes running 2k3 Standard w/ SP 2. When I reboot these boxes, I get long pauses during reboot and the event 7022 message that 'The Kerberos Key Distribution Center hung on starting.'. Kerberos services are running successfully on both boxes, and can be stopped and started without an issue. When I run certutil -dcinfo verify, the error I see is the following:

Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)

with the ending message being:

The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

I've gotten fresh certificates from my local CA (which is one of the boxes in question) and all seems normal when viewing them with the Certificates snap-in, but I'm really at a loss for an appropriate next step. The CERTSVC_DCOM_ACCESS group has the appropriate membership and I'm a bit puzzled.

Any info or words of wisdom would be greatly appreciated.
thanks!
Russ
0
Comment
Question by:rharland2009
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24032979
try this:
certutil -dcinfo deletebad
(attempt to validate all the DC certificates issued to the domain controllers. Certificates that fail to validate will be removed)
certutil -pulse
(will refresh the CA advertisements to AD)
on the DC:
gpupdate /force


You can also set up PKI Health Tool (pkiview.msc) from the 2003 support tools kit.  See if everything checks out there.

Just to verify with the certsrv_dcom_access - is the CA installed on a DC or on a dedicated (or at least non-DC) box?  If on a DC, then that group should be in AD and should contain domain users, domain computers, and domain controllers - you may need to add domain controllers group unless you already did (which I would assume based on your comment).  If not on a DC, then this should not be necessary and it should be a local group on the CA.
0
 
LVL 11

Author Comment

by:rharland2009
ID: 24076994
Thanks for your reply. The plot thickens! I was checking a few things out and was about to run these commands when I noticed that there are *two* boxes set up as CAs right now on this network! One is the 'original' CA - a non-DC Windows 2000 Server box that I understood was the only CA in the building. The second CA is one of the DCs! This is a tad confusing, but I inherited this network and its foibles some time ago, and weirdness pops up from time to time.
I've never really encountered something like this. PKI Health Tool shows two old offline CAs and the present ones - with errors downloading one of the CRLs. Man, what a mess.
At this point, I'm beginning to think that I need to start over with one clean CA. Not even sure where to start. Gah!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24081550
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Make sure to check to see what certs are already issued so you can migrate them to the proper CA.  Having a CA on a DC is not good security practice and really gets in the way in a number of circumstances.

This is assuming that both were set up as root CA's and that one was not the subordinate of the other.

Let me know if there is more that I can help with...
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question