Announcement

Collapse
No announcement yet.

Do I need a new KDC Certificate ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Do I need a new KDC Certificate ?

    Hi everyone

    I have not done a reboot since I ran "certutil -dcinfo deletebad" to try to get rid of a KDC 20 warning and did not check if I already had a KDC certificate before doing so.

    Now when I run "certutil -dcinfo" it is reported that I have no KDC certificate installed.

    Does anyone know why I need a KDC cert and what will happen when I next reboot. Will something stop working with a KDC cert being present ?

    Its a SBS 2003 Std installation, single NIC. Everything is working fine with no new warnings or errors apart from the KDC 20 error which is still coming up.

    Thanks.
    David

  • #2
    Re: Do I need a new KDC Certificate ?

    In my approaching 10 years experience with SBS, I have never run or needed to run "certutil -dcinfo deletebad". What condition was causing this? What are the full error messages?
    TIA

    Steven Teiger [SBS-MVP(2003-2009)]
    http://www.wintra.co.il/
    sigpic
    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

    We donít stop playing because we grow old, we grow old because we stop playing.

    Comment


    • #3
      Re: Do I need a new KDC Certificate ?

      Dear Steven

      Thank you for your reply.

      I am handing over some day to day management of our server and wanted the Event Logs to be as clean as possible. Every 10 hours in the System log there is a Warning KDC 20 with text :

      "The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data."

      I have followed the thread at

      http://www.eventid.net/display.asp?e...ce=KDC&phase=1

      I ran the certutil -dcinfo deletebad command and now when I just run certutil -dcinfo there are no KDC certs listed.

      This is the main point of my post - the thread above clearly tells me to reboot after running the command but I am concerned about re-generating any required certs. Do KDC certs get created after reboot if one is not present ? Is that part of autoenrollment ?

      Many thanks

      David

      Comment


      • #4
        Re: Do I need a new KDC Certificate ?

        Dear all

        I have rebooted and now there are now no more KDC 20 warnings. So running the certutil -dcinfo deletebad command does help in that respect.

        Everything else appears to be working fine.

        So I am still left with the question - "Do I need a new KDC certificate ?". If anyone has any pointers, I would appreciate it.

        Thanks

        David

        Comment


        • #5
          Re: Do I need a new KDC Certificate ?

          Same answer as you get over at smallbizserver.net
          TIA

          Steven Teiger [SBS-MVP(2003-2009)]
          http://www.wintra.co.il/
          sigpic
          Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

          We donít stop playing because we grow old, we grow old because we stop playing.

          Comment

          Working...
          X