KDC Certificate problem 1

[fandabbydosey]

Hi,

I recently demoted a domain controller on our network, and now the FSMO master has the following warning appearing in the application log.

Event Type: Warning
Event Source: KDC
Event Category: None
Event ID: 20
Date: 18/08/2005
Time: 14:26:44
User: N/A
Computer: SVR1
Description:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

Ive looked arounmd the web, and all references are to Server 2000.

Thanks

 

[ADB100]

I faught with this for ages on my network and eventually found the answer, although not through here it was a result of constant searching on the Server.

Load up the Enterprise PKI on your DC (start, run, mmc, add/remove snapin, add, Enterprise PKI. Once loaded right click the Enterprise PKI and select Manage AD Containers. Check out the various containers for expired certificates. The CDP Container expires the CRL after only about 2-days, so if your CA is unavailable you get the KDC errors you describe.

HTH

Andy

 

[fandabbydosey]

Hi,

I can see the CPD entries which have expired because they relate to the old domain controller which I have removed.

Is it ok for me to delete these, an also the location references in the list of certificates, they have all got a red cross "unable to download".

These are the crts from the old server I take it.