AD certs

Mike Davis

I have a client that I believe was trying to push a certificate out to all the computers on his domain. He thinks he revoked the old certificate before the new one was created. AD got pretty messed up. Two of the domain controllers wouldn't run their services anymore and were effectively dead, so we seized the FSMO roles on the DC that seemed to be working. The other remaining DC is having some issues, but DNS is straightened out and AD replication is working now.

I went in to group policy to find the Cert policy and I was expecting to see the certificate to see if it was valid and it didn't show up. I'm not sure where to look now.

I'm getting the error: Event ID 20
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

It looks like this article has the fix:
https://technet.microsoft.com/en-us/library/cc733985(v=ws.10).aspx

The part I'm not sure about is what to do about the group policy. Has any one done this before?

DustinB3403

If there is no certificate on the server, then he deleted the only cert that existed. Which means all you'll have to do is to request a new certificate.

Mike Davis

So add the certificate services roll as if there was nothing there before?

DustinB3403

@Mike-Davis The role is removed as well?

If so yes, you'll have to add the role, and create the cert. Also slap this customer would you. . .

Kelly

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

DustinB3403

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

Damn it. . . didn't even notice when I typed that. . .

scottalanmiller

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

That's why I prefer bakeries.

wirestyle22

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

scottalanmiller

@wirestyle22 said in AD certs:

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

Don't stop your diet now, you're on a roll!

Kelly

@scottalanmiller said in AD certs:

@wirestyle22 said in AD certs:

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

Don't stop your diet now, you're on a roll!

If you're on a roll your choice of seats may impact your diet.

wirestyle22

@Kelly said in AD certs:

@scottalanmiller said in AD certs:

@wirestyle22 said in AD certs:

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

Don't stop your diet now, you're on a roll!

If you're on a roll your choice of seats may impact your diet.

I think I read the outer most seats have all of the nutrition

Mike Davis

Thank you grammar police. I usually catch stuff like that, but that one got by me.

At any rate, I tried to follow the article at the beginning of the post, and I'm getting the error:

The wizard cannot be started because of one or more of the following conditions:

• There are no trusted certification authorities (CAs) available.
• You do not have the permissions to request certificates from the available CAs.
• The available CAs issue certificates for which you do not have permissions.

My question though, is if the certificate auto enrollment is even needed for normal domain operations?

RojoLoco

@scottalanmiller said in AD certs:

@wirestyle22 said in AD certs:

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

Don't stop your diet now, you're on a roll!

He's off the rolls!!!

Mike Davis

@RojoLoco said in AD certs:

@scottalanmiller said in AD certs:

@wirestyle22 said in AD certs:

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

Don't stop your diet now, you're on a roll!

He's off the rolls!!!

Now I'm all about the enROLLment.

RojoLoco

@Mike-Davis said in AD certs:

@RojoLoco said in AD certs:

@scottalanmiller said in AD certs:

@wirestyle22 said in AD certs:

@Kelly said in AD certs:

Active Directory has roles. Bakeries have rolls.

http://writingexplained.org/role-vs-roll-difference

You're really not helping my diet.

Don't stop your diet now, you're on a roll!

He's off the rolls!!!

Now I'm all about the enROLLment.

I like my enROLLments with lots of butter, nice and warm...

dafyre

*twitch* *stutter*

dafyre

*twitch*

Autoenrollment is good for domains. Could you imagine having to update the certificates on every system in the domain by hand?

Mike Davis

@dafyre said in AD certs:

*twitch*

Autoenrollment is good for domains. Could you imagine having to update the certificates on every system in the domain by hand?

So how do you test to make sure it's working?

DustinB3403

Any progress on this issue?

DustinB3403

@Mike-Davis said in AD certs:

@dafyre said in AD certs:

*twitch*

Autoenrollment is good for domains. Could you imagine having to update the certificates on every system in the domain by hand?

So how do you test to make sure it's working?

If the systems start to tombstone, then you know you have issues, at which point get the