?
Solved

2008 R2 Kerberos error 29

Posted on 2014-10-22
6
Medium Priority
?
175 Views
Last Modified: 2014-10-28
I have been getting the following eror every 10 hours on our Domain server:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Error 29

Is this something I should try to fix, or is it something I should ignore?
0
Comment
Question by:ArchitectChuck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40398666
Microsoft indicate this to be an error with the DC certificate:

    On the domain controller in which the issue is occurring, click Start, and then click Run.
    Type mmc.exe, and then press ENTER.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    Click File, and then click Add/Remove Snap-in.
    Click Certificates, and then click Add.
    Click Computer account, click Next, and then click Finish.
    Click OK to open the Certificates snap-in.
    Expand Certificates (Local computer), expand Personal, and then click Certificates.
    Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.


More information:
http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx
0
 

Author Comment

by:ArchitectChuck
ID: 40399272
Thanks for your help.

I have four certificates at that location.  Two are for specific applications which I will leave.

There are two that are server specific.

One is "<server name> - SERVER" issued by "<server name> - ROOT"

The other is "<server name>.<domain name>"   issued by "<server name>.<domain name>"

Both are good until early in 2015.

Should I delete one or both?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 40402924
I don't know why application specific certificates are installed on domain controller

According to my understanding if you don't have internal certificate authority in place, you can just ignore this warning event

If you already have enterprise AD integrated CA installed, you can simply delete all certificates on domain controller, CA should auto enroll new certificate automatically on domain controller through domain controller certificate template whenever server gets rebooted
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 29

Assisted Solution

by:becraig
becraig earned 1000 total points
ID: 40402944
Late in responding but Mahesh has the right idea, alternatively as the instructions I posted above indicate:
Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
From the link

http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx

However if there is no actual certificate  based kerberos auth in your AD this is a non issue
0
 

Author Closing Comment

by:ArchitectChuck
ID: 40408687
Thanks for your help.  I deleted both certificates and the Server did create a new certificate.

However, it did create a problem with Exchange which is on that server.  I have posted a new issue regarding Kerbath.dll.  Exchange best practices says that it is not installed properly, but it's installation was never changed.  I checked IIS and everything appears to be correctly installed.

Per the links, I did try to create a new certificate.  I was told I did not have permissions, even though the user I was logged in as is a member of the Domain Admins group.  I do not know why I could not create a certificate, other than the server told me I was not authorized.  

Unfortunately you try to fix one thing, and often create another problem.

Thanks for your help.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40408992
I am not aware that Exchange is also installed on domain controller
Please go to exchange management console and see if there is self signed certificate under server configuration, I guess that certificate is got deleted, because by default exchange creates self signed certificate for his own purposes
You can generate new exchange self signed certificate from Exchange Management shell (assuming exchange 2007 \ 2010)
From EMS run below command
New-ExchangeCertificate
This will generate default exchange certificate, ensure that SMTP service is assigned to this certificate
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question