Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1274
  • Last Modified:

Kerberos Key Distribution Center Hung On Starting - and a certificate error

Hi there.
I'm running main and backup DCs for our domain - both boxes running 2k3 Standard w/ SP 2. When I reboot these boxes, I get long pauses during reboot and the event 7022 message that 'The Kerberos Key Distribution Center hung on starting.'. Kerberos services are running successfully on both boxes, and can be stopped and started without an issue. When I run certutil -dcinfo verify, the error I see is the following:

Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)

with the ending message being:

The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

I've gotten fresh certificates from my local CA (which is one of the boxes in question) and all seems normal when viewing them with the Certificates snap-in, but I'm really at a loss for an appropriate next step. The CERTSVC_DCOM_ACCESS group has the appropriate membership and I'm a bit puzzled.

Any info or words of wisdom would be greatly appreciated.
thanks!
Russ
0
rharland2009
Asked:
rharland2009
  • 2
2 Solutions
 
ParanormasticCryptographic EngineerCommented:
try this:
certutil -dcinfo deletebad
(attempt to validate all the DC certificates issued to the domain controllers. Certificates that fail to validate will be removed)
certutil -pulse
(will refresh the CA advertisements to AD)
on the DC:
gpupdate /force


You can also set up PKI Health Tool (pkiview.msc) from the 2003 support tools kit.  See if everything checks out there.

Just to verify with the certsrv_dcom_access - is the CA installed on a DC or on a dedicated (or at least non-DC) box?  If on a DC, then that group should be in AD and should contain domain users, domain computers, and domain controllers - you may need to add domain controllers group unless you already did (which I would assume based on your comment).  If not on a DC, then this should not be necessary and it should be a local group on the CA.
0
 
rharland2009Author Commented:
Thanks for your reply. The plot thickens! I was checking a few things out and was about to run these commands when I noticed that there are *two* boxes set up as CAs right now on this network! One is the 'original' CA - a non-DC Windows 2000 Server box that I understood was the only CA in the building. The second CA is one of the DCs! This is a tad confusing, but I inherited this network and its foibles some time ago, and weirdness pops up from time to time.
I've never really encountered something like this. PKI Health Tool shows two old offline CAs and the present ones - with errors downloading one of the CRLs. Man, what a mess.
At this point, I'm beginning to think that I need to start over with one clean CA. Not even sure where to start. Gah!
0
 
ParanormasticCryptographic EngineerCommented:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Make sure to check to see what certs are already issued so you can migrate them to the proper CA.  Having a CA on a DC is not good security practice and really gets in the way in a number of circumstances.

This is assuming that both were set up as root CA's and that one was not the subordinate of the other.

Let me know if there is more that I can help with...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now