Solved

Kerberos Key Distribution Center Hung On Starting - and a certificate error

Posted on 2009-03-31
4
1,244 Views
Last Modified: 2012-05-06
Hi there.
I'm running main and backup DCs for our domain - both boxes running 2k3 Standard w/ SP 2. When I reboot these boxes, I get long pauses during reboot and the event 7022 message that 'The Kerberos Key Distribution Center hung on starting.'. Kerberos services are running successfully on both boxes, and can be stopped and started without an issue. When I run certutil -dcinfo verify, the error I see is the following:

Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)

with the ending message being:

The certificate is not valid for the requested usage. 0x800b0110 (-2146762480)

I've gotten fresh certificates from my local CA (which is one of the boxes in question) and all seems normal when viewing them with the Certificates snap-in, but I'm really at a loss for an appropriate next step. The CERTSVC_DCOM_ACCESS group has the appropriate membership and I'm a bit puzzled.

Any info or words of wisdom would be greatly appreciated.
thanks!
Russ
0
Comment
Question by:rharland2009
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24032979
try this:
certutil -dcinfo deletebad
(attempt to validate all the DC certificates issued to the domain controllers. Certificates that fail to validate will be removed)
certutil -pulse
(will refresh the CA advertisements to AD)
on the DC:
gpupdate /force


You can also set up PKI Health Tool (pkiview.msc) from the 2003 support tools kit.  See if everything checks out there.

Just to verify with the certsrv_dcom_access - is the CA installed on a DC or on a dedicated (or at least non-DC) box?  If on a DC, then that group should be in AD and should contain domain users, domain computers, and domain controllers - you may need to add domain controllers group unless you already did (which I would assume based on your comment).  If not on a DC, then this should not be necessary and it should be a local group on the CA.
0
 
LVL 11

Author Comment

by:rharland2009
ID: 24076994
Thanks for your reply. The plot thickens! I was checking a few things out and was about to run these commands when I noticed that there are *two* boxes set up as CAs right now on this network! One is the 'original' CA - a non-DC Windows 2000 Server box that I understood was the only CA in the building. The second CA is one of the DCs! This is a tad confusing, but I inherited this network and its foibles some time ago, and weirdness pops up from time to time.
I've never really encountered something like this. PKI Health Tool shows two old offline CAs and the present ones - with errors downloading one of the CRLs. Man, what a mess.
At this point, I'm beginning to think that I need to start over with one clean CA. Not even sure where to start. Gah!
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 500 total points
ID: 24081550
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Make sure to check to see what certs are already issued so you can migrate them to the proper CA.  Having a CA on a DC is not good security practice and really gets in the way in a number of circumstances.

This is assuming that both were set up as root CA's and that one was not the subordinate of the other.

Let me know if there is more that I can help with...
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now