2008 R2 Kerberos error 29

I have been getting the following eror every 10 hours on our Domain server:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Error 29

Is this something I should try to fix, or is it something I should ignore?
ArchitectChuckAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
Microsoft indicate this to be an error with the DC certificate:

    On the domain controller in which the issue is occurring, click Start, and then click Run.
    Type mmc.exe, and then press ENTER.
    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
    Click File, and then click Add/Remove Snap-in.
    Click Certificates, and then click Add.
    Click Computer account, click Next, and then click Finish.
    Click OK to open the Certificates snap-in.
    Expand Certificates (Local computer), expand Personal, and then click Certificates.
    Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.


More information:
http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx
ArchitectChuckAuthor Commented:
Thanks for your help.

I have four certificates at that location.  Two are for specific applications which I will leave.

There are two that are server specific.

One is "<server name> - SERVER" issued by "<server name> - ROOT"

The other is "<server name>.<domain name>"   issued by "<server name>.<domain name>"

Both are good until early in 2015.

Should I delete one or both?
MaheshArchitectCommented:
I don't know why application specific certificates are installed on domain controller

According to my understanding if you don't have internal certificate authority in place, you can just ignore this warning event

If you already have enterprise AD integrated CA installed, you can simply delete all certificates on domain controller, CA should auto enroll new certificate automatically on domain controller through domain controller certificate template whenever server gets rebooted

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

becraigCommented:
Late in responding but Mahesh has the right idea, alternatively as the instructions I posted above indicate:
Right-click the old domain controller certificate, and then click Delete.
    Click Yes, confirming that you want to delete the certificate.
    After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
From the link

http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx

However if there is no actual certificate  based kerberos auth in your AD this is a non issue
ArchitectChuckAuthor Commented:
Thanks for your help.  I deleted both certificates and the Server did create a new certificate.

However, it did create a problem with Exchange which is on that server.  I have posted a new issue regarding Kerbath.dll.  Exchange best practices says that it is not installed properly, but it's installation was never changed.  I checked IIS and everything appears to be correctly installed.

Per the links, I did try to create a new certificate.  I was told I did not have permissions, even though the user I was logged in as is a member of the Domain Admins group.  I do not know why I could not create a certificate, other than the server told me I was not authorized.  

Unfortunately you try to fix one thing, and often create another problem.

Thanks for your help.
MaheshArchitectCommented:
I am not aware that Exchange is also installed on domain controller
Please go to exchange management console and see if there is self signed certificate under server configuration, I guess that certificate is got deleted, because by default exchange creates self signed certificate for his own purposes
You can generate new exchange self signed certificate from Exchange Management shell (assuming exchange 2007 \ 2010)
From EMS run below command
New-ExchangeCertificate
This will generate default exchange certificate, ensure that SMTP service is assigned to this certificate
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.