Our organisation is going through a major restructuring phase these days and we’re converting from an “Empty Root with many Child Domains” to “Single Domain Forests” model. Why did we go with the former model is a long story and definitely beyond the scope of this particular post so I’ll leave it for another day. For today, I’ll start the story and say that I’ve been developing build, process and migration documentation for the transition lately and most of my time is being consumed by that. Along the way, I’ve seen a few problems and I will be publishing some of them here so that people can benefit from it. Today, is the turn of “Event ID 29 — KDC Certificate Availability”.
If you are installing a new forest and have just promoted a member server to become the first domain controller in it (assumption that it’s a Windows 2008 or above forest), you might start seeing the following Warning message soon in your “System” log:
Event ID: 29, Source: Kerberos-Key-Distribution-Center, Level: Warning The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
This happens because the Domain Controller doesn’t have a valid certificate. If you search the Internet for the problem, you find the following article: http://technet.microsoft.com/en-us/library/cc734096(WS.10).aspx
Please note that in typical Microsoft fashion, it “assumes” that you have a valid certificate authority present within your organisation and therefore, you can just ask for a new certificate. You may have one if you’re introducing new Windows 2008 (R2) DCs into a pre-existing organisation but are likely not to have one if it’s a brand-new forest! The article, for some reason, doesn’t cover that possibility.
Prior to Windows 2008, having a certificate authority within your forest wasn’t really important as you were OK as long as you didn’t use anything that required it. It seems that Windows 2008 (R2) is different and the DC starts complaining soon after if you don’t have a valid certificate authority that can issue the DC a certificate. This problem won’t prevent anything from working but will keep generating this annoying warning message until fixed and obviously you want to keep your event log clean.
The solution, as you can tell now, is simple and that is to install a new Certificate Authority. The process is not difficult and an outline process is as follows:
- Log into server using a domain admin account.
- Run “Server Manager” and proceed to “Add Roles”.
- In the list of “Roles”, select “Active Directory Certificate Services”.
- Select the following options:
- Certification Authority
- Certification Authority Web Enrollment (click “Add Required Role Services” when prompted)
- Select “Enterprise” and click “Next”.
- Select “Root CA” and click “Next”.
- Select “Create a new private key” and click “Next”.
- Leave default cryptography settings (RSA#Microsoft Sotfware Key Storage Provider, 2048, SHA256) and click “Next”.
- Enter the common name for the CA as say [NetBIOS Name of Domain]-CA and click “Next”.
- Change the validity period to a long period say 15 years and click “Next”.
- Leave the certificate database settings as default and click “Next”.
- Click “Next” when the Web Server introduction screen appears.
- Click “Next” again (the only addition will be ASP support).
- Click “Install” and “Close” when the installation completes.
It’s also useful to do the following steps afterwards:
- Fire up the “Certification Authority” MMC window.
- Navigate to Certification Authority (Local) –> [NetBIOS Name of Domain]-CA.
- Right click “[NetBIOS Name of Domain]-CA” and click “Properties”.
- Select the “Auditing” tab and check all the following options:
- Backup and restore the CA database
- Change CA configuration
- Change CA security settings
- Issue and manage certificate requests
- Revoke certificates and publish CRLs
- Store and retrieve archived keys
- Start and stop Certificate Services (click “OK” to the warning).
- Click the “OK” button and close the “Certification Authority” window.
- Open “Certificates” MMC (Run “mmc”, Add/Remove Snap-in, Add “Certificates”, Select “Computer Account”)
- Browse to “Certificates (Local Computer) –> Personal –> Certificates”. Check if a certificate already exists for the DC now, issued by the newly-created CA. Please note: There should be another one for the CA itself.
- If not, right-Click on “Certificates” –> All Tasks –> “Request New Certificate”
- Click “Next” twice (acknowledging a screen that informs that a policy enables auto-enrollment)
- In the “Request Certificate” screen, check the “Domain Controller” check box only.
- Click on “Enroll”.
- Close the MMC.
Be patient after that as the DCs will probably take some time i.e. a few hours to request a certificate. As that happens, all DCs in questions will stop generating the warning messages mentioned above. If the messages remain after a day or so, then maybe Auto-Enrollment is not enabled or isn’t working properly. If not enabled, follow the process documented here. Alternatively, you could try logging on to the DC itself and request a certificate manually, using the process mentioned in the Microsoft article.
Hope this helps!