Solved

Win2k3 DC - Server: Missing X.509 DomainController certificate / Event 1383 - ??

Posted on 2009-04-03
2
933 Views
Last Modified: 2012-05-06

Dear all

i dont know how- but somehow our Win2k3 SP2 domaincontroller x.509 certificate is missing since a few days. it seems that it started when we try'd to renew an expired CA2 cert - but I not sure about it. The new CA2 cert was installed ok and is valid however.

Since then i got under the "directory service" event log viewer this:

>>> Error -- Event ID: 1383 / Category: Replication <<<
The local domain controller has no DomainController X.509 certificate.
Until this certificate is added, Active Directory replication between the local domain controller and domain controllers in all other sites will fail.
User Action: Add this certificate to the local domain controller.


We are connected to some other sites in europe - now the replication fails with events like this:

>>> Internal event: Active Directory could not send the following directory partition changes to the domain controller at the following network address.

Directory partition: DC=de,DC=le1dcch  ::  Network address: _IsmService@10bb579c-1b03-87ea-1621-6ea3321abd3c._msdcs.le1dcch
 
Additional Data: Error value:   6000 The specified file could not be encrypted.



I have absolutely no clue about certs.... can someone help me out how to get this x.509 DC cert back to our server?

I heard that this cert will automatically installed if an DC joins an (Enterprise) Domain. True?

thank you!

0
Comment
Question by:digifineEFX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24061083
Normally yes, but if you are suggesting to demote/promote  taht might not work here.

On the CA try running:
certutil -pulse
Then on the DC run:
gpupdate /force

Is CA2 a second root CA or a subordinate under a common company root?  If it is a root CA you may need to import that in the trusted root CA store / distribute it via GPO.

The cert was just reissued / renewed, correct?  The CA wasn't reinstalled, maintenance or anything like that?

Other things you can try:
From CA run:
certutil -dcinfo -removebad
certutil -dsPublish
certutil -pulse
0
 

Author Comment

by:digifineEFX
ID: 24075611
Hi Paranormastic,   thanks so far for the answer!   i will check and will come back.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question