for details on this event.
From a newsgroup post: "I have made a call to Microsoft on this issue. They first suggested setting the RPC Locator service to “Automatic” and then starting it. They also suggested to restart the NetLogon service after this change was made. Seems that upgrading to W2K3 changes the RPC Locator service startup for some reason".
From a newsgroup post: "On the problem DC, open the certificates snap-in, go to Certificates (Local Computer) -> Personal -> Certificates store, and verify that the DC has a valid certificate whose Intended Purpose indicates Client Authentication, Server Authentication. Also, verify that the Certification Chain validates to the root certificate. On the Details tab of the certificate check to see if the Smart Card Logon Object Identifier (220.127.116.11.4.1.318.104.22.168) is listed in the Enhanced Key Usage field. If any of the above is not correct, you will need to correct it".
From a newsgroup post: "Per my research, Event ID 20 and 7022 could occur if the current Win2k3 SP1 machine cannot contact a valid CA (Certificate Authority). CA can issue many different types certificate and smart card is a one among them. For example, you installed CA on one DC and removed CA from it; however, the Win2k3 SP1 machine still wants to contact the original CA. In this case, Event ID 20 is logged.
Once the CA has been taken down, the certificates that have been issued to all the domain controllers need to be removed. This can be done quite easily using DSSTORE.EXE from the Resource Kit. To remove old domain controller certificates, use the following steps.
At the command prompt on a domain controller, type "certutil -dcinfo deleteBad"
To do so:
1. Install the Windows Support Tools from the Support\Tools folder in the Windows Server 2003 DC.
2. Go to command prompt, type "certutil - dcinfo deleteBad" (without the quotation marks)
3. Clean out KDC 20 warnings in the System Event Log.
4. Restart the DC and then check if the issue is fixed.
I suspect that the issue may be related to the DCOM protocol. Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers.
As the Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol, I suspect that it may be the cause of the problem.
1. Please check to ensure that a new security group, CERTSVC_DCOM_ACCESS, has been created after applied the SP1.
2. Please add the "Domain Users", "Domain Computers", "Domain Controllers" groups to the new CERTSVC_DCOM_ACCESS security group.
3. Then, we can have Certificate Services update the DCOM security settings by running the following commands:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Please check if the problem has been fixed.
Reissue a domain controller certificate:
1. Click Start -> Run -> type "mmc" (without the quotation marks) and press Enter.
2. Click File -> Add/Remove Snap-in. Click the Add button and select Certificate snap-in. Select Computer account.
3. In the certificate console, navigate to Personal\Certificates. Right-click the folder and choose Request new certificate.
4. Follow the wizard to request a Domain Controller certificate.
5. Reboot the computer to see if the problem is resolved".
for additional information on this event.