Hello: We have three DC's, windows 2003 and windows 2008 R2. I am getting KDC warning on DC1 (windows 2008). DC1 - Holds all FSMO Roles, GC, AD integrated DNS windows 2008 DC2 - GC, AD Integrated DNS, Windows 2008 DC3 - GC, AD Integrated DNS, Windows 2003 DC3 shows two certs. under Personal both are expired DC1 no certs under Personal DC2 no certs under Personal Event 29 from DC1 and DC2 Log Name: System Source: Microsoft-Windows-Kerberos-Key-Distribution-Center Date: 4/23/2012 8:34:09 AM Event ID: 29 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: DC1.AAA.local Description: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. Event 6 and 13 from DC1 and DC2 Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment Date: 4/23/2012 6:54:14 AM Event ID: 6 Task Category: None Level: Error Keywords: Classic User: N/A Computer: DC1.AAA.local Description: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable. Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 4/23/2012 6:54:14 AM Event ID: 13 Task Category: None Level: Error Keywords: Classic User: SYSTEM Computer: DC1.AAA.local Description: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from DC3.AAA.local\mail.AAA.com (The RPC server is unavailable. 0x800706ba (WIN32: 1722)). I am not sure how to resolve this issue. Please help. Thanks

Hello, See that: http://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx Start by deleting the expired certificates. If there is a need for LDAPS, you have to request a new certificate from your CA. In this case, your CA should be online and reachable. If there is no need for LDAPS then ignore this step. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

We do not have CA server. what about event 6 and 13

These are because your DC is requesting a certificate and there is no CA. Please delete the expired certificates and check results. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Mr X, I have deleted expired certs. and other steps I need to follow? What about event id 6, 13 Thanks

I am still getting error 29

I am still getting error 29 Ignore it since you are not using certificates. Please clear Event Viewer Logs and check the new output. Also, reboot the DC. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment. So if there is no CA in your domain, you can ignore the event 29. You receive a Key Distribution Center "Event ID: 29" event message on a Windows Server 2008-based domain controller http://support.microsoft.com/kb/967623 Regards, Bruce

Thank you, can you help with event id's 6 and 13 Thanks

Thank you everyone for all your help.