Event ID 29 – KDC Certificate Availability

Our organisation is going through a major restructuring phase these days and we’re converting from an “Empty Root with many Child Domains” to “Single Domain Forests” model. Why did we go with the former model is a long story and definitely beyond the scope of this particular post so I’ll leave it for another day. For today, I’ll start the story and say that I’ve been developing build, process and migration documentation for the transition lately and most of my time is being consumed by that. Along the way, I’ve seen a few problems and I will be publishing some of them here so that people can benefit from it. Today, is the turn of “Event ID 29 — KDC Certificate Availability”.

If you are installing a new forest and have just promoted a member server to become the first domain controller in it (assumption that it’s a Windows 2008 or above forest), you might start seeing the following Warning message soon in your “System” log:

Event ID: 29, Source: Kerberos-Key-Distribution-Center, Level: Warning

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

This happens because the Domain Controller doesn’t have a valid certificate. If you search the Internet for the problem, you find the following article: http://technet.microsoft.com/en-us/library/cc734096(WS.10).aspx

Please note that in typical Microsoft fashion, it “assumes” that you have a valid certificate authority present within your organisation and therefore, you can just ask for a new certificate. You may have one if you’re introducing new Windows 2008 (R2) DCs into a pre-existing organisation but are likely not to have one if it’s a brand-new forest! The article, for some reason, doesn’t cover that possibility.

Prior to Windows 2008, having a certificate authority within your forest wasn’t really important as you were OK as long as you didn’t use anything that required it. It seems that Windows 2008 (R2) is different and the DC starts complaining soon after if you don’t have a valid certificate authority that can issue the DC a certificate. This problem won’t prevent anything from working but will keep generating this annoying warning message until fixed and obviously you want to keep your event log clean.

The solution, as you can tell now, is simple and that is to install a new Certificate Authority. The process is not difficult and an outline process is as follows:

Log into server using a domain admin account.
Run “Server Manager” and proceed to “Add Roles”.
In the list of “Roles”, select “Active Directory Certificate Services”.
Select the following options:
- Certification Authority
- Certification Authority Web Enrollment (click “Add Required Role Services” when prompted)
Select “Enterprise” and click “Next”.
Select “Root CA” and click “Next”.
Select “Create a new private key” and click “Next”.
Leave default cryptography settings (RSA#Microsoft Sotfware Key Storage Provider, 2048, SHA256) and click “Next”.
Enter the common name for the CA as say
[NetBIOS Name of Domain]-CA and click “Next”.
Change the validity period to a long period say 15 years and click “Next”.
Leave the certificate database settings as default and click “Next”.
Click “Next” when the Web Server introduction screen appears.
Click “Next” again (the only addition will be ASP support).
Click “Install” and “Close” when the installation completes.

It’s also useful to do the following steps afterwards:

Fire up the “Certification Authority” MMC window.
Navigate to Certification Authority (Local) –> [NetBIOS Name of Domain]-CA.
Right click “[NetBIOS Name of Domain]-CA” and click “Properties”.
Select the “Auditing” tab and check all the following options:
- Backup and restore the CA database
- Change CA configuration
- Change CA security settings
- Issue and manage certificate requests
- Revoke certificates and publish CRLs
- Store and retrieve archived keys
- Start and stop Certificate Services (click “OK” to the warning).
Click the “OK” button and close the “Certification Authority” window.
Open “Certificates” MMC (Run “mmc”, Add/Remove Snap-in, Add “Certificates”, Select “Computer Account”)
Browse to “Certificates (Local Computer) –> Personal –> Certificates”. Check if a certificate already exists for the DC now, issued by the newly-created CA. Please note: There should be another one for the CA itself.
If not, right-Click on “Certificates” –> All Tasks –> “Request New Certificate”
Click “Next” twice (acknowledging a screen that informs that a policy enables auto-enrollment)
In the “Request Certificate” screen, check the “Domain Controller” check box only.
Click on “Enroll”.
Close the MMC.

Be patient after that as the DCs will probably take some time i.e. a few hours to request a certificate. As that happens, all DCs in questions will stop generating the warning messages mentioned above. If the messages remain after a day or so, then maybe Auto-Enrollment is not enabled or isn’t working properly. If not enabled, follow the process documented here. Alternatively, you could try logging on to the DC itself and request a certificate manually, using the process mentioned in the Microsoft article.

Hope this helps!

11 Comments

AL February 21, 2012 at 5:33 PM - Reply

This article was very useful to me. However, it appears a step is missing.

Open “Certificates” MMC (Run “mmc”, Add/Remove Snap-in, Add “Certificates”)

At this point you have to choose if the snap-in will always manage certificates:
1. My user account
2. Service account
3. Computer account

I chose computer account.

Can you please clarify.

Thanks.
- Ather Beg March 25, 2012 at 4:00 PM - Reply
  
  Hi Al
  
  Apologies for the delayed response. I was away for a while. Yes, you chose the right option for the process i.e. “Computer Account”. I didn’t put all the steps in as the intention was just to guide enough for someone to understand what to do. Some MMC knowledge is assumed, especially is one is installing a new forest. 🙂 I am also glad that the article was useful to you.
  
  Best regards,
  
  Ather
Fabio April 3, 2012 at 10:33 AM - Reply

Thanks for this article, it was very useful 🙂
I didn’t install the web interface because i don’t use it.
- Ather Beg April 3, 2012 at 1:28 PM - Reply
  
  Hi Fabio,
  
  Glad to be of service. I agree – if you don’t use the web interface, then there is no reason to install it. Could be quite handy in some cases, though!
  
  Ather
Doug November 25, 2013 at 7:07 PM - Reply

Thank you very much for this article. It was incredibly helpful. I have been struggling with a server for months with no luck to a solution.
Whether this article you’ve published repairs it or not, i am greatful for your walkthrough and learned a great deal.
- Ather November 28, 2013 at 7:13 AM - Reply
  
  Hi Doug,
  
  You’re welcome and many thanks for the feedback. It would be interesting to know if it fixed the problem in the end. It certainly did for me and many others! 🙂
  
  Ather
Mohammed Mustafa Khan October 27, 2015 at 9:50 AM - Reply

Hi Mr. Beg-

Hope you are going great!

Certainly a great blog, just like the name “Ather Beg’s Useful Thoughts”.

Well i have 2 questions.

Scenario: We have a forest with one domain and we have two DC running on win srv 2008 std. and rest 6 RODC’s running on Win srv 2008 r2 std.

Q1) I suppose this solution is ideal for my infrastructure, sincei’m getting the same event id 29 warning meesage

Q2) Will i have any adverse effect on my MS Exchange 2010 environment, if we install a new Certificate Authority as suggested?

Thank you!!!
- Ather Beg October 30, 2015 at 6:41 AM - Reply
  
  Hi there
  
  Thanks for the compliment! 🙂
  
  Installing a CA just means that you have your own authority that can issue certificates for your organisation and I am assuming you don’t have one already. However, it doesn’t even issue a certificate until you want it to so if you want to tread carefully then don’t set up auto-enrollment until you’ve researched and considered the effects.
  
  That said, I personally can’t think of any reason why it should have any negative effect on your infrastructure. Plus, the issue mentioned above won’t get fixed until a certificate is issued, either by auto-enrollment or manually.
  
  Hope this helps!
  
  Ather
Mohammed Mustafa Khan November 4, 2015 at 7:49 AM - Reply

I’m getting the same event id 29 (warning) message on the send DC in which i have configured CA

“The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.”

However on the primary DC we stop getting the event id 29 (warning)

Kindly suggest!!!
Mohammed Mustafa Khan November 4, 2015 at 7:52 AM - Reply

small mistake its not “send”, its “second” (sorry for inconvenience )
George May 3, 2016 at 5:47 PM - Reply

This article, and more so the responses to it, are probably very relevant to this discussion.
https://redmondmag.com/articles/2015/06/01/ad-certificate-services.aspx
Adding a CA to a domain isn’t something that should be approached lightly.

Better advice probably comes from http://support.microsoft.com/kb/967623 :
“If there is no CA in your domain, you can ignore this event.”