Solved

2008 R2 Kerberos error 29

Posted on 2014-10-22
6
163 Views
Last Modified: 2014-10-28
I have been getting the following eror every 10 hours on our Domain server:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Error 29

Is this something I should try to fix, or is it something I should ignore?
0
Comment
Question by:ArchitectChuck
  • 2
  • 2
  • 2
6 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40398666
Microsoft indicate this to be an error with the DC certificate:

    On the domain controller in which the issue is occurring, click Start, and then click Run.
    Type mmc.exe, and then press ENTER.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    Click File, and then click Add/Remove Snap-in.
    Click Certificates, and then click Add.
    Click Computer account, click Next, and then click Finish.
    Click OK to open the Certificates snap-in.
    Expand Certificates (Local computer), expand Personal, and then click Certificates.
    Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.


More information:
http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx
0
 

Author Comment

by:ArchitectChuck
ID: 40399272
Thanks for your help.

I have four certificates at that location.  Two are for specific applications which I will leave.

There are two that are server specific.

One is "<server name> - SERVER" issued by "<server name> - ROOT"

The other is "<server name>.<domain name>"   issued by "<server name>.<domain name>"

Both are good until early in 2015.

Should I delete one or both?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 250 total points
ID: 40402924
I don't know why application specific certificates are installed on domain controller

According to my understanding if you don't have internal certificate authority in place, you can just ignore this warning event

If you already have enterprise AD integrated CA installed, you can simply delete all certificates on domain controller, CA should auto enroll new certificate automatically on domain controller through domain controller certificate template whenever server gets rebooted
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 29

Assisted Solution

by:becraig
becraig earned 250 total points
ID: 40402944
Late in responding but Mahesh has the right idea, alternatively as the instructions I posted above indicate:
Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
From the link

http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx

However if there is no actual certificate  based kerberos auth in your AD this is a non issue
0
 

Author Closing Comment

by:ArchitectChuck
ID: 40408687
Thanks for your help.  I deleted both certificates and the Server did create a new certificate.

However, it did create a problem with Exchange which is on that server.  I have posted a new issue regarding Kerbath.dll.  Exchange best practices says that it is not installed properly, but it's installation was never changed.  I checked IIS and everything appears to be correctly installed.

Per the links, I did try to create a new certificate.  I was told I did not have permissions, even though the user I was logged in as is a member of the Domain Admins group.  I do not know why I could not create a certificate, other than the server told me I was not authorized.  

Unfortunately you try to fix one thing, and often create another problem.

Thanks for your help.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40408992
I am not aware that Exchange is also installed on domain controller
Please go to exchange management console and see if there is self signed certificate under server configuration, I guess that certificate is got deleted, because by default exchange creates self signed certificate for his own purposes
You can generate new exchange self signed certificate from Exchange Management shell (assuming exchange 2007 \ 2010)
From EMS run below command
New-ExchangeCertificate
This will generate default exchange certificate, ensure that SMTP service is assigned to this certificate
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question