KDC Question

Discussion in 'Server Security' started by Kevin Gallagher, Jun 12, 2009.

  1. I am getting the following warning on one of my Windows 2003 Active Directory
    Domain controllers. Is there a problem with my PKI and if so
    what should I do?

    "The currently selected KDC certificate was once valid, but now is invalid
    and no suitable replacement was found. Smartcard logon may not function
    correctly if this problem is not remedied. Have the system administrator
    check on the state of the domain's public key infrastructure.">
     
    Kevin Gallagher, Jun 12, 2009
    #1
    1. Advertisements

  2. Hello Kevin,

    Do you talk about event id 20? Is the CA removed form the domain or changed
    to another one?

    Try:
    certutil -dcinfo deleteBad

    to remove the offending certificates. The DCs should then get new ones the
    next time Autoenrollment runs...provided Certificate services are re-installed.

    Also check this article:
    http://www.actividentity.com/support/kbase/cms/display_article.php?kbid=701

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jun 12, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.