The KDC service hangs long enough on a booting Domain Controller to create an error and the popup messgage for a service failing to start. Unfortunatly the popup is visible to end users as they are also file/print servers that users have console access to (yeah, yeah, I know. I just can’t do anything about it).
The results of certutil -dcinfo verify shows Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10) and The certificate is not valid for the requested usage. 0x800b0110
It would appear that certutil -dcinfo deletebad but I’m nor 100% sure that the DC will auto enrole for a new certificate. I also have no idea what things might be using kerberos for authentication. At least I know that smart cards are not being used, but that is of little comfort.
To be continued….
…later that same day.
Tried the certutil -dcinfo deletebad command. It succeded in giving me an error message:
For this error I used the follwing steps from Microsoft:
We will see how far down the rabbit hole this takes us….
Requesting new Domain Controller certificates didn’t seem to fix the issue. However, requesting Domain Controller Authentication certificates appears to have fixed the errors on all DCs but one.