Start off by removing the certs from the cert store on your DC's... On 10/15/09, Martin Blackstone <[email protected]> wrote: > Gone. > It was an old 2000 DC that someone at sometime well before me installed the > certificate services on. > > -----Original Message----- > From: Don Ely [mailto:[email protected]] > Sent: Thursday, October 15, 2009 10:17 AM > To: NT System Admin Issues > Subject: Re: Event ID 20 - KDC > > Is the CA still active or is it dead and gone? > > On 10/15/09, Martin Blackstone <[email protected]> wrote: >> So I'm seeing this on my DC's: >> >> The currently selected KDC certificate was once valid, but now is invalid >> and no suitable replacement was found. Smartcard logon may not function >> correctly if this problem is not remedied. Have the system administrator >> check on the state of the domain's public key infrastructure. The chain >> status is in the error data. >> >> >> >> So I saw this as a possible solution: >> >> A problematic CA and old data in the Active Directory PKI Container may > also >> cause this problem on a Windows 2003 domain. Use PKIview.msc from the >> Windows 2003 Resource kit to check the status of the CA. This can occur if >> the CA is removed from the network and a new one is added. >> >> 1) Install rktools, run the Microsoft Management Console, and add the >> standalone snap-in "Enterprise PKI". >> 2) Expand the console tree in the scope pane, click on your CA, and verify >> that all entries report OK. If there is a problem, then this may be the >> cause. If the ones reporting bad are http://, verify that IIS 6.0 is >> configured properly and that anonymous access is granted to the CertEnroll >> website. >> 3) Next, right click "Enterprise PKI" in the scope pane and choose "Manage >> AD Containers". Check each tab and remove any old CA information. >> 4) Reboot your server. >> >> >> >> >> >> So when I look in there, under the CDP container, there is a CA called >> Trace3 CA that is expired. >> >> Now what will happen if I delete this thing for real? Is there going to be > a >> problem? Why isn't there a new one? >> >> What is this thing for? >> >> Questions, questions.. >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > -- > Sent from my mobile device > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >
-- Sent from my mobile device ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
