Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

2008 R2 Kerberos error 29

Posted on 2014-10-22
6
Medium Priority
?
193 Views
Last Modified: 2014-10-28
I have been getting the following eror every 10 hours on our Domain server:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Error 29

Is this something I should try to fix, or is it something I should ignore?
0
Comment
Question by:ArchitectChuck
  • 2
  • 2
  • 2
6 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40398666
Microsoft indicate this to be an error with the DC certificate:

    On the domain controller in which the issue is occurring, click Start, and then click Run.
    Type mmc.exe, and then press ENTER.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    Click File, and then click Add/Remove Snap-in.
    Click Certificates, and then click Add.
    Click Computer account, click Next, and then click Finish.
    Click OK to open the Certificates snap-in.
    Expand Certificates (Local computer), expand Personal, and then click Certificates.
    Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.


More information:
http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx
0
 

Author Comment

by:ArchitectChuck
ID: 40399272
Thanks for your help.

I have four certificates at that location.  Two are for specific applications which I will leave.

There are two that are server specific.

One is "<server name> - SERVER" issued by "<server name> - ROOT"

The other is "<server name>.<domain name>"   issued by "<server name>.<domain name>"

Both are good until early in 2015.

Should I delete one or both?
0
 
LVL 39

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 40402924
I don't know why application specific certificates are installed on domain controller

According to my understanding if you don't have internal certificate authority in place, you can just ignore this warning event

If you already have enterprise AD integrated CA installed, you can simply delete all certificates on domain controller, CA should auto enroll new certificate automatically on domain controller through domain controller certificate template whenever server gets rebooted
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 29

Assisted Solution

by:becraig
becraig earned 1000 total points
ID: 40402944
Late in responding but Mahesh has the right idea, alternatively as the instructions I posted above indicate:
Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
From the link

http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx

However if there is no actual certificate  based kerberos auth in your AD this is a non issue
0
 

Author Closing Comment

by:ArchitectChuck
ID: 40408687
Thanks for your help.  I deleted both certificates and the Server did create a new certificate.

However, it did create a problem with Exchange which is on that server.  I have posted a new issue regarding Kerbath.dll.  Exchange best practices says that it is not installed properly, but it's installation was never changed.  I checked IIS and everything appears to be correctly installed.

Per the links, I did try to create a new certificate.  I was told I did not have permissions, even though the user I was logged in as is a member of the Domain Admins group.  I do not know why I could not create a certificate, other than the server told me I was not authorized.  

Unfortunately you try to fix one thing, and often create another problem.

Thanks for your help.
0
 
LVL 39

Expert Comment

by:Mahesh
ID: 40408992
I am not aware that Exchange is also installed on domain controller
Please go to exchange management console and see if there is self signed certificate under server configuration, I guess that certificate is got deleted, because by default exchange creates self signed certificate for his own purposes
You can generate new exchange self signed certificate from Exchange Management shell (assuming exchange 2007 \ 2010)
From EMS run below command
New-ExchangeCertificate
This will generate default exchange certificate, ensure that SMTP service is assigned to this certificate
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question