Posts in Category: Support

Event 29: Kerberos Key Distribution Center 

While looking through our new Windows 2008 Domain Controller’s event logs, I noticed this unusual error:

Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

After a little research, I found a knowledgebase article 967623 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.

Basically in a nutshell, if you are not using CA, you can ignore this error message.

Posted by Brian 11/09/2009 Categories: Support System Administration Windows

DCdiag fails for NCSecDesc test on Windows 2008 Domain Controllers 

Ran into this error this morning while running DCdiag on one of our Windows 2008 Domain Controllers.

Starting test: NCSecDesc
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=DomainDnsZones,DC=CONTOSO,DC=COM
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=ForestDnsZones,DC=CONTOSO,DC=COM
        ......................... Contoso-DC1 failed test NCSecDesc

After a little research (967482, Known Issues for Installing and Removing AD DS & Ravindra Pamidi's Blog) I found the cause of this issue is:

If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

So here’s Microsoft’s resolution to the issue:

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

So here we are again… another warning message because I’m not using a “feature” of the product!

Additional Note:

This bug is for any Windows Server 2008 domain controller with Active Directory installed in Windows 2003 mode, ie a default Windows 2008 domain.

That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.

Posted by Brian 11/07/2009 Categories: Support System Administration Windows

How to ask for help! 

During my career I have run into support issues where I needed additional help and I had difficulty asking for that help. Soon I realized that most successful people know how and when to ask for help. And most people are inclined to offer help when asked (research backs this up.)

Based on these experiences, I’ve developed some guidelines for how I ask for help:

Identify the problem. This might sound simple, but it’s not.

Learn as much as you can on your own.  Do your own research! Some support issues are so common a simple Internet search can yield a resolution.

Make it easy. Based on the research, perform some preliminary diagnostics which can yield a resolution.

Be clear. If the preliminary diagnostics does not yield a resolution, it's time to ask for help. During your conversation with the helper, be clear and in great detail describe your issue, research, and preliminary diagnostics preformed. 

Posted by Brian 08/04/2009 Categories: Education Support