Solved

Kerberos Key Distribution Center Hung On Starting - and a certificate error

Posted on 2009-03-31
4
1,248 Views
Last Modified: 2012-05-06
Hi there.
I'm running main and backup DCs for our domain - both boxes running 2k3 Standard w/ SP 2. When I reboot these boxes, I get long pauses during reboot and the event 7022 message that 'The Kerberos Key Distribution Center hung on starting.'. Kerberos services are running successfully on both boxes, and can be stopped and started without an issue. When I run certutil -dcinfo verify, the error I see is the following:

Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)

with the ending message being:

The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

I've gotten fresh certificates from my local CA (which is one of the boxes in question) and all seems normal when viewing them with the Certificates snap-in, but I'm really at a loss for an appropriate next step. The CERTSVC_DCOM_ACCESS group has the appropriate membership and I'm a bit puzzled.

Any info or words of wisdom would be greatly appreciated.
thanks!
Russ
0
Comment
Question by:rharland2009
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24032979
try this:
certutil -dcinfo deletebad
(attempt to validate all the DC certificates issued to the domain controllers. Certificates that fail to validate will be removed)
certutil -pulse
(will refresh the CA advertisements to AD)
on the DC:
gpupdate /force


You can also set up PKI Health Tool (pkiview.msc) from the 2003 support tools kit.  See if everything checks out there.

Just to verify with the certsrv_dcom_access - is the CA installed on a DC or on a dedicated (or at least non-DC) box?  If on a DC, then that group should be in AD and should contain domain users, domain computers, and domain controllers - you may need to add domain controllers group unless you already did (which I would assume based on your comment).  If not on a DC, then this should not be necessary and it should be a local group on the CA.
0
 
LVL 11

Author Comment

by:rharland2009
ID: 24076994
Thanks for your reply. The plot thickens! I was checking a few things out and was about to run these commands when I noticed that there are *two* boxes set up as CAs right now on this network! One is the 'original' CA - a non-DC Windows 2000 Server box that I understood was the only CA in the building. The second CA is one of the DCs! This is a tad confusing, but I inherited this network and its foibles some time ago, and weirdness pops up from time to time.
I've never really encountered something like this. PKI Health Tool shows two old offline CAs and the present ones - with errors downloading one of the CRLs. Man, what a mess.
At this point, I'm beginning to think that I need to start over with one clean CA. Not even sure where to start. Gah!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24081550
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Make sure to check to see what certs are already issued so you can migrate them to the proper CA.  Having a CA on a DC is not good security practice and really gets in the way in a number of circumstances.

This is assuming that both were set up as root CA's and that one was not the subordinate of the other.

Let me know if there is more that I can help with...
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
inactive users 13 77
Backup DHCP Server 8 104
Exchange 2003 converted to VM but now email does not work 5 67
ESEUTIL Stopped Working Need a new copy for 2003 Exchange. 11 54
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question