Primary DC can not browse the internet/KDC20 Event

Hi

Apologies for lumping this in one thread, but both issues are interlinked.

This is a tricky one.  

A few months ago we promoted a new Domain Controller, with the view of it taking over as the PDC.  The DC promo was successful, however another admin switched off the previous PDC and removed it from the network without dcpromo'ing it first (he did it over the weekend, when I was away).  

I've been left clearing up the domain.  I've managed to get rid of most of the event errors, some of which related to the GC and other DNS related issues, but I can not figure out these last two items.

Firstly, I can not browse the internet on the DC.  I have set other servers and workstations to use this DC as the DNS server and they can all browse the web without issue.  I can even ping websites.  However on the DC itself I can not browse via either IE or Firefox.

Secondly I have the following error:
Source: KDC Event ID 20

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

I have searched for solutions and even seen a few threads, in Experta Exchange for KDC.  However none of them seem to resolve my issue.  I believe the problem is caused by the fact that the previous certificate was registered with the old PDC.

Any help would be most appreciated.

Oh and the PDC Server 2003 (all three DCs on the network are Server 2003).

Regards
LVL 1
XpertaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

g000seCommented:
Hi,

Take a look at this link to address your event id 20-  http://www.eventid.net/display.asp?eventid=20&eventno=3396&source=KDC&phase=1
0
g000seCommented:
Does the DC that cannot browse the internet- is the TCP/IP DNS ip address pointing to another DNS DC server?  If not, you will need to point it there.
0
XpertaAuthor Commented:
I've read that your Primary DNS server should point to itself.

I have pointed it to the other DNS DC and I get the same issue.

Any other ideas?

I will look through the KDC stuff, btw.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

g000seCommented:
What happens if you put the ip address of google.com (Ping google.com from command line to get the IP address) in the IE browser?  Does the page display Google?
0
XpertaAuthor Commented:
Nope.

I can ping www.google.co.uk from the PDC, via cmd and get a 19ms response.  However when I enter the IP in to the browser I get nothing.

First I thought it may be IE, but the fact it doesn't work in FireFox makes it strange
0
g000seCommented:
What other services are you running the PDC?  WINS?
0
g000seCommented:
Are you running a proxy server?
0
XpertaAuthor Commented:
No WINS.

As for roles, it's a bit of a one stop shop (not my choice).  It's a file server, print server, PDC, DHCP, DNS, IIS and Certificate Authority.

Personally I wanted to split all these role, but I was overruled.
0
XpertaAuthor Commented:
No Proxy.
0
g000seCommented:
Check out this link-  http://support.microsoft.com/kb/811259/

"How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista"

"When you start Internet Explorer, you may receive the following error message:
The page cannot be displayed "

0
XpertaAuthor Commented:

Okay so I ran netdiag /test:winsock and it passed on everything.
0
g000seCommented:
Do you have any other entries in the event log pointing to this issue?

Do you have another application (ie- OWA, Access Point, Printer, etc - web interface) that you can access from your PDC through IE as a test to see if it displays?
0
XpertaAuthor Commented:
I have a CDP and a Virtual Office system, which both have browser based admin pages.  I can access both of these via the PDC browser (through IP address).
0
XpertaAuthor Commented:
It also works using the DNS records for these devices.
0
g000seCommented:
If you haven't, you may want to consider running a anti virus /malware scan on your PDC.
0
XpertaAuthor Commented:
Good idea.  I'll do that now.
0
XpertaAuthor Commented:
Completed several AV scans and only found a few dodgy cookies.  Removed them and rest IE, but still no joy.
0
g000seCommented:
What is the error message you get when trying to access a webpage- ie www.google.com?
0
g000seCommented:
Is your firewall disabled on your PDC?
0
g000seCommented:
Correction- Windows Firewall disabled on your PDC?
0
g000seCommented:
Also try installing Google Chrome Browser and see if you can get out on the internet.

Which program did you use to scan for malware/spyware on your PDC?  Spybot?
0
XpertaAuthor Commented:
I get page can not be displayed.
I'll try Google Chrome.
The Windows Firewall is off and disabled.
I used the McAfee client already installed and SuperAntiSpyware.
0
g000seCommented:
I am thinking you may need to reset your TCP/IP stack on the PDC.
0
XpertaAuthor Commented:
How do I do that?
0
XpertaAuthor Commented:
I figured out how to reset the TCP/IP stacks.  It does say I need to complete a reboot, which as it is the PDC and file server cannot be completed during office hours.  

I'm scheduling a mass reboot of servers over the Easter weekend, so I'll do it then.

I assume that the tcp/ip reset will not complete until the server is rebooted?

I seem to have resolved the KDC issue.  It seems it was to do with the certificate on the old server (which the new server was pointing to and could not see because it does not exist any more).  
I configured the PDC as a Certificate authority, then deleted the previous certificate and created a new one.  Not had the error message back since.

Only one more thing to resolve.  

Whilst I am waiting to reboot this server, can any one think of anything else that may be preventing this server from browsing the internet?
0
g000seCommented:
Yes, you will need to reboot but then you will need to manually enter your TCP/IP address information.  The reset will clear your TCP/IP adddress info.

http://support.microsoft.com/kb/317518

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
XpertaAuthor Commented:
Ah, so it clears everything, including the IP address?
0
g000seCommented:
Yes.
0
g000seCommented:
If you are considering running a reset, do after hours.
0
XpertaAuthor Commented:
Okay so the TCP/IP reset worked like a dream, although it did require 2 reboots.

Thanks for your help.
0
g000seCommented:
I am glad to help.  Take care.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.