?
Solved

Win2k3 DC - Server: Missing X.509 DomainController certificate / Event 1383 - ??

Posted on 2009-04-03
2
Medium Priority
?
940 Views
Last Modified: 2012-05-06

Dear all

i dont know how- but somehow our Win2k3 SP2 domaincontroller x.509 certificate is missing since a few days. it seems that it started when we try'd to renew an expired CA2 cert - but I not sure about it. The new CA2 cert was installed ok and is valid however.

Since then i got under the "directory service" event log viewer this:

>>> Error -- Event ID: 1383 / Category: Replication <<<
The local domain controller has no DomainController X.509 certificate.
Until this certificate is added, Active Directory replication between the local domain controller and domain controllers in all other sites will fail.
User Action: Add this certificate to the local domain controller.


We are connected to some other sites in europe - now the replication fails with events like this:

>>> Internal event: Active Directory could not send the following directory partition changes to the domain controller at the following network address.

Directory partition: DC=de,DC=le1dcch  ::  Network address: _IsmService@10bb579c-1b03-87ea-1621-6ea3321abd3c._msdcs.le1dcch
 
Additional Data: Error value:   6000 The specified file could not be encrypted.



I have absolutely no clue about certs.... can someone help me out how to get this x.509 DC cert back to our server?

I heard that this cert will automatically installed if an DC joins an (Enterprise) Domain. True?

thank you!

0
Comment
Question by:digifineEFX
2 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24061083
Normally yes, but if you are suggesting to demote/promote  taht might not work here.

On the CA try running:
certutil -pulse
Then on the DC run:
gpupdate /force

Is CA2 a second root CA or a subordinate under a common company root?  If it is a root CA you may need to import that in the trusted root CA store / distribute it via GPO.

The cert was just reissued / renewed, correct?  The CA wasn't reinstalled, maintenance or anything like that?

Other things you can try:
From CA run:
certutil -dcinfo -removebad
certutil -dsPublish
certutil -pulse
0
 

Author Comment

by:digifineEFX
ID: 24075611
Hi Paranormastic,   thanks so far for the answer!   i will check and will come back.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question