Renew Domain Controller Certificate?

Diffy72 used Ask the Experts™

My knowledge of Certificates is basic to say the least. I would be grateful if someone can help with the following..

I have noted in the system event logs the following message which appears on all 3 W2k3 DC's:

Event ID 20:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.

On further inspection in the Certification Authentication/Issued Certificates I have noted that the 3 Domain Controller Certificates have now expired. The  events have been appearing randomly for the last 2 days but should they not auto-enrol - if not what is the best way to renew?

Also a few minutes after the above event the following is posted in the application log:

Failed extract of third-party root list from auto update cab at: <> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Thanks in advanced.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Is the Certificate Authority who originally provided the DC certificates still online and is it still the CA?  If not, do you have a CA online?  


Hey thanks for the response! I'm not entirely sure to both questions as I have only recently taken ownership of the systems and there is no documentation. When I look at the properties of the local CA server there is only one certificate issued by the DC in question and this has expired.

How can I check for a CA online? Sorry for al the questions here.
ParanormasticCryptographic Engineer

Open certsrv.msc  (Certification Authority MMC) - since you presumably don't have the CA running on your workstation then you will get an error - that's ok.  Browse to connect to another machine and you should see the list of enterprise CA servers there - there will be 2 names - the CAName (the name of the CA instance) and the FQDN of the host box.

Often the DC related certs are issued via autoenrollment 6 weeks ahead of expiration.  DC's do not start using the new cert and will use the older cached cert until they are rebooted.  Sometimes you need to give them a hand by clearing out the old cert and requesting a new cert via autoenrollment:
certutil -dcinfo deletebad
certutil -pulse
reboot  (remember to stagger your DC reboots so your users can still log in!)

If that doesn't do it, then connect to the CA using certsrv.msc described above and you can look at the Certificate Templates folder - this is the list of cert templates that are assigned to that CA.  If the appropriate template(s) are not there then right click the folder - all tasks - issue template - select template.  It can take 10-15 minutes to show up you need to wait for AD to replicate.

For 2003 CA or 2003 AD forest level (check domains and trusts) you should have domain controller authentication as a minimum and commonly directory email replication.  The domain controller template is superseded by the DC authentication template, so its fine if that is not there or if it is.

For 2008 CA in 2008 AD you will have a kerberos authentication cert that is common to have on a  DC.

There are a lot more templates stored in AD (certtmpl.msc Certificate Templates MMC) to view those, modify, assign permissions, etc.


Hey Paranormastic

Thanks for taking the time to give me this excellent response - much appreciated. In the meantime I actioned the following which seems to work but would welcome your thoughts:

1. Backed up the CA.
2. Ran certsrv.msc from the DC that issues and right-clicked the server name and selected issue Renew CA Certificate.
3. On doing so the old (Expired) Certificate (Certificate0) was still present in the CA Server/Properties/General tab but a new Certificate1 was added.
4. Minutes later a subsequent KDC Event ID 20 error was reported by the CA/DC server BUT this was immediately followed with an Autoenrolment event in the app log:

Automatic certificate enrollment for local system successfully received one Domain Controller certificate from certificate authority SERVER-NAME on server fqdn.

5. After this the templates section in certsrv.msc showed a new Domain Controller template issued with a validity period of 1 year. This was the same scenario for the other DC; on request for a new template also.
6. Rebooted the DC's and no further errors reported..

Cryptographic Engineer
Certificate0 should remain listed on the CA.  It should also stay in AD as a trusted root if you had previously issued certs under it.

There will be a little bit of kicking around for the first one as each box updates itself from the AIA, especially since the old one will be cached, but it should work itself out.  This is expected.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial