You receive a Key Distribution Center "Event ID: 20" event message on a Windows Server 2003-based domain controller

Consider the following scenario. You are using a Microsoft Windows Server 2003-based domain controller. The domain controller is part of a domain that does not have a certification authority (CA) installed. You receive the following event message in the Event Viewer System log:

Event Type: Warning
Event Source: KDC
Event Category: None
Event ID: 20
Date: date
Time: time
User: N/A
Computer: computer name
Description: The currently selected KDC certificate was once valid, but now is invalid. No suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

This issue may occur because of invalid domain controller certificates. Domain controller certificates may become invalid if you remove a CA that was installed in the domain. After you remove the CA, the domain controller still tries to contact the CA. Therefore, you receive the error message that is mentioned in the "Symptoms" section.

To resolve this issue, remove all the invalid domain controller certificates, as follows:

1. At a command prompt, type the following command, and then press ENTER:
   Certutil -dcinfo deleteBad
2. At the command prompt, type exit, and then press ENTER to close the command prompt.
3. Remove all the Key Distribution Center (KDC) "Event ID: 20" instances from the Event Viewer System log.
4. Restart the domain controller.

For more information about related issues, click the following article numbers to view the articles in the Microsoft Knowledge Base: