Solved

Win2k3 DC - Server: Missing X.509 DomainController certificate / Event 1383 - ??

Posted on 2009-04-03
2
931 Views
Last Modified: 2012-05-06

Dear all

i dont know how- but somehow our Win2k3 SP2 domaincontroller x.509 certificate is missing since a few days. it seems that it started when we try'd to renew an expired CA2 cert - but I not sure about it. The new CA2 cert was installed ok and is valid however.

Since then i got under the "directory service" event log viewer this:

>>> Error -- Event ID: 1383 / Category: Replication <<<
The local domain controller has no DomainController X.509 certificate.
Until this certificate is added, Active Directory replication between the local domain controller and domain controllers in all other sites will fail.
User Action: Add this certificate to the local domain controller.


We are connected to some other sites in europe - now the replication fails with events like this:

>>> Internal event: Active Directory could not send the following directory partition changes to the domain controller at the following network address.

Directory partition: DC=de,DC=le1dcch  ::  Network address: _IsmService@10bb579c-1b03-87ea-1621-6ea3321abd3c._msdcs.le1dcch
 
Additional Data: Error value:   6000 The specified file could not be encrypted.



I have absolutely no clue about certs.... can someone help me out how to get this x.509 DC cert back to our server?

I heard that this cert will automatically installed if an DC joins an (Enterprise) Domain. True?

thank you!

0
Comment
Question by:digifineEFX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24061083
Normally yes, but if you are suggesting to demote/promote  taht might not work here.

On the CA try running:
certutil -pulse
Then on the DC run:
gpupdate /force

Is CA2 a second root CA or a subordinate under a common company root?  If it is a root CA you may need to import that in the trusted root CA store / distribute it via GPO.

The cert was just reissued / renewed, correct?  The CA wasn't reinstalled, maintenance or anything like that?

Other things you can try:
From CA run:
certutil -dcinfo -removebad
certutil -dsPublish
certutil -pulse
0
 

Author Comment

by:digifineEFX
ID: 24075611
Hi Paranormastic,   thanks so far for the answer!   i will check and will come back.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question