No announcement yet.

Does my PDC need a CA?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Does my PDC need a CA?

    A couple of months ago, we took our CA off the network. At that time, as far as I knew, the only cert it had ever issued was used for webmail.

    After that server was shutdown, I noticed event 20 on the DCs

    The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
    I used the information in this MS KB to eliminate that message. BUT now I'm seeing another event:

    Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x800706ba). The RPC server is unavailable.
    So it looks like my CA is still in AD (verified through AD Sites and Services). My question is this: If we're not using a CA (we've been working for a couple of months without one), can I just remove the entries from Site and Services?

    One more piece of information that may be important: This morning, several hours after I removed the invalid certs, I got event 36872

    No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
    I haven't looked into it yet, but I assume it is related.


  • #2
    Re: Does my PDC need a CA?

    No DCs don't require a CA.