Solved

2008 R2 Kerberos error 29

Posted on 2014-10-22
6
149 Views
Last Modified: 2014-10-28
I have been getting the following eror every 10 hours on our Domain server:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Error 29

Is this something I should try to fix, or is it something I should ignore?
0
Comment
Question by:ArchitectChuck
  • 2
  • 2
  • 2
6 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Microsoft indicate this to be an error with the DC certificate:

    On the domain controller in which the issue is occurring, click Start, and then click Run.
    Type mmc.exe, and then press ENTER.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    Click File, and then click Add/Remove Snap-in.
    Click Certificates, and then click Add.
    Click Computer account, click Next, and then click Finish.
    Click OK to open the Certificates snap-in.
    Expand Certificates (Local computer), expand Personal, and then click Certificates.
    Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.


More information:
http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx
0
 

Author Comment

by:ArchitectChuck
Comment Utility
Thanks for your help.

I have four certificates at that location.  Two are for specific applications which I will leave.

There are two that are server specific.

One is "<server name> - SERVER" issued by "<server name> - ROOT"

The other is "<server name>.<domain name>"   issued by "<server name>.<domain name>"

Both are good until early in 2015.

Should I delete one or both?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
Comment Utility
I don't know why application specific certificates are installed on domain controller

According to my understanding if you don't have internal certificate authority in place, you can just ignore this warning event

If you already have enterprise AD integrated CA installed, you can simply delete all certificates on domain controller, CA should auto enroll new certificate automatically on domain controller through domain controller certificate template whenever server gets rebooted
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 28

Assisted Solution

by:becraig
becraig earned 250 total points
Comment Utility
Late in responding but Mahesh has the right idea, alternatively as the instructions I posted above indicate:
Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
From the link

http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx

However if there is no actual certificate  based kerberos auth in your AD this is a non issue
0
 

Author Closing Comment

by:ArchitectChuck
Comment Utility
Thanks for your help.  I deleted both certificates and the Server did create a new certificate.

However, it did create a problem with Exchange which is on that server.  I have posted a new issue regarding Kerbath.dll.  Exchange best practices says that it is not installed properly, but it's installation was never changed.  I checked IIS and everything appears to be correctly installed.

Per the links, I did try to create a new certificate.  I was told I did not have permissions, even though the user I was logged in as is a member of the Domain Admins group.  I do not know why I could not create a certificate, other than the server told me I was not authorized.  

Unfortunately you try to fix one thing, and often create another problem.

Thanks for your help.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
I am not aware that Exchange is also installed on domain controller
Please go to exchange management console and see if there is self signed certificate under server configuration, I guess that certificate is got deleted, because by default exchange creates self signed certificate for his own purposes
You can generate new exchange self signed certificate from Exchange Management shell (assuming exchange 2007 \ 2010)
From EMS run below command
New-ExchangeCertificate
This will generate default exchange certificate, ensure that SMTP service is assigned to this certificate
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now