域控证书服务器删除错误解决方法

在DC服务器上删除证书服务器后，每次服务器重启出现如下错误

eventid 7022

Kerberos Key Distribution Center サ�`ビスは起��rに停止しました。

��な情�螭稀�http://go.microsoft.com/fwlink/events.asp の [ヘルプとサポ�`ト センタ�`] を参照してください。

 除了每次启动时加载设置时间比较长外，没有发现其他影响。

解决方法：

1.安装Windows Support Tools

2.运行certutil - dcinfo deleteBad

3.重启

 

 

 

原文地址：http://www.eventid.net/display.asp?eventid=7022&eventno=111&source=Service%20Control%20Manager&phase=1

- Service: Kerberos Key Distribution Center - From a newsgroup post: "Per my research, Event ID 20 and 7022 could occur if the current Win2k3 SP1 machine cannot contact a valid CA (Certificate Authority). CA can issue many different types certificate and smart card is a one among them. For example, you installed CA on one DC and removed CA from it; however, the Win2k3 SP1 machine still wants to contact the original CA. In this case, Event ID 20 is logged.
Once the CA has been taken down, the certificates that have been issued to all the domain controllers need to be removed. This can be done quite easily using DSSTORE.EXE from the Resource Kit. To remove old domain controller certificates, use the following steps.

Step 1:
At the command prompt on a domain controller, type "certutil -dcinfo deleteBad"

To do so:
1. Install the Windows Support Tools from the Support\Tools folder in the Windows Server 2003 DC.
2. Go to command prompt, type "certutil - dcinfo deleteBad" (without the quotation marks)
3. Clean out KDC 20 warnings in the System Event Log.
4. Restart the DC and then check if the issue is fixed.

Step 2:
I suspect that the issue may be related to the DCOM protocol. Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
As the Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol, I suspect that it may be the cause of the problem.
1. Please check to ensure that a new security group, CERTSVC_DCOM_ACCESS, has been created after applied the SP1.
2. Please add the "Domain Users", "Domain Computers", "Domain Controllers" groups to the new CERTSVC_DCOM_ACCESS security group.
3. Then, we can have Certificate Services update the DCOM security settings by running the following commands:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Please check if the problem has been fixed.

Step 3:
Reissue a domain controller certificate:
1. Click Start -> Run -> type "mmc" (without the quotation marks) and press Enter.
2. Click File -> Add/Remove Snap-in. Click the Add button and select Certificate snap-in. Select Computer account.
3. In the certificate console, navigate to Personal\Certificates. Right-click the folder and choose Request new certificate.
4. Follow the wizard to request a Domain Controller certificate.
5. Reboot the computer to see if the problem is resolved".

This event appears when a service is stuck in the start pending state. The service failed to indicate that it is making progress within the time period indicated in its last status message. See MSW2KDB for more details on this problem.