K
K
Guest
I have a 2k3 native domain with 2 DCs.
DC 1 has all FSMO roles and DNS installed
DC 2 also has DNS installed
DC 2 did have the windows CA installed, although it was never used to issue
certificates. When rationalising our services the CA was uninstalled and
reinstalled on a member server on the domain.
The last week or so users have been experiencing problems with their home
drive mapping. Randomly, some users will get the map, where others will get
it but will get access denied if they try to open it. If they log off, wait
2 mins and log back on they can access the home drive. Home drives are a
share on DC 1.
Whilst trawling through the event logs yesterday I noticed the following
error:
KCD - Evend ID 20
The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the domain's public key infrastructure. The chain
status is in the error data.
I did a bit of research and found a suggestion that this was due to
uninstalling the CA from the server and that deleting any certificated
relating to that CA would solve the issue. I deleted all certificates
issued by DC 2 and restarted the KDC and have not received this error since.
This morning I rebooted the entire server farm for a clean start and checked
the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO Negotiator)
several times (all relating in one way of another to DC 2).
In the hope of trying top resolve this I reinstalled the CA onto DC2 (so I
now have an enterprise root CA on both DC 2 (where there was originally one)
and a member server (as I don't know if uninstalling this will cause further
problems).
I rebooted DC 2 and the member server the other CA is on and there were no
errors logged on either.
However, I am still experiencing some odd authentication problems.
It has not been long enough in the day yet to see if users are having home
drive problems so we will have to see about that, but one application which
I use (installed on the same member server as the CA) is giving access
denied messages when trying to run certain parts of it, which the developers
tell me is possibly due to problems with the account the service runs under
authenticating.
Can ayone help with this?
What is the best way of removing the CA from BOTH servers it is on now (the
DC and the member server) - neither has issued any certificated (other than
the ones it does automatically). And will this clear up my authentication
issues or is this something else?
DC 1 has all FSMO roles and DNS installed
DC 2 also has DNS installed
DC 2 did have the windows CA installed, although it was never used to issue
certificates. When rationalising our services the CA was uninstalled and
reinstalled on a member server on the domain.
The last week or so users have been experiencing problems with their home
drive mapping. Randomly, some users will get the map, where others will get
it but will get access denied if they try to open it. If they log off, wait
2 mins and log back on they can access the home drive. Home drives are a
share on DC 1.
Whilst trawling through the event logs yesterday I noticed the following
error:
KCD - Evend ID 20
The currently selected KDC certificate was once valid, but now is invalid
and no suitable replacement was found. Smartcard logon may not function
correctly if this problem is not remedied. Have the system administrator
check on the state of the domain's public key infrastructure. The chain
status is in the error data.
I did a bit of research and found a suggestion that this was due to
uninstalling the CA from the server and that deleting any certificated
relating to that CA would solve the issue. I deleted all certificates
issued by DC 2 and restarted the KDC and have not received this error since.
This morning I rebooted the entire server farm for a clean start and checked
the event logs. DC 2 is now logging LsaSrv Event 40960 (SPNEGO Negotiator)
several times (all relating in one way of another to DC 2).
In the hope of trying top resolve this I reinstalled the CA onto DC2 (so I
now have an enterprise root CA on both DC 2 (where there was originally one)
and a member server (as I don't know if uninstalling this will cause further
problems).
I rebooted DC 2 and the member server the other CA is on and there were no
errors logged on either.
However, I am still experiencing some odd authentication problems.
It has not been long enough in the day yet to see if users are having home
drive problems so we will have to see about that, but one application which
I use (installed on the same member server as the CA) is giving access
denied messages when trying to run certain parts of it, which the developers
tell me is possibly due to problems with the account the service runs under
authenticating.
Can ayone help with this?
What is the best way of removing the CA from BOTH servers it is on now (the
DC and the member server) - neither has issued any certificated (other than
the ones it does automatically). And will this clear up my authentication
issues or is this something else?