|
Posted by Miha Pihler [MVP] on May 5, 2006, 2:37 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
To be sure which certificates you have -- you can run
Certutil -dcinfo -verify
on DC to check which certificates are installed and then run
Certutil -dcinfo deletebad
This will remove any bad certificates...
--
Mike
Microsoft MVP - Windows Security
>I have the following scenario to deal with :
> windows 2003 domain, installed in Jan 2005. Enterprise Pki installed in
> Jan
> 2005 and then uninstalled in jan 2005. There are kdc errors on the domain
> controllers :
> Source : KDC
> Event id 20
> Description:
> The currently selected KDC certificate was once valid, but now is invalid
> and no suitable replacement was found. Smartcard logon may not function
> correctly if this problem is not remedied. Have the system administrator
> check on the state of the domain's public key infrastructure. The chain
> status is in the error data.
>
> Now the CRL is no longer available by any means, nor is the backup of the
> servers with the PKI in place. The dc's have certificates that were
> issued
> by this CA the certificates are valid until Dec 2006.
>
> Now my question is: can I use the instructions in the following article
> to
> clean out all remains of this CA even though the CRL's will never be
> available?:
> http://support.microsoft.com/kb/889250/en-us
>
> Hope there is someone there who can assist me with this!
>
>
| 
XML site map