I kept seeing an Event ID 20 in my Exchange Server’s system event log with the following message:

“The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain’s public key infrastructure. The chain status is in the error data.”

If an Active Directory CA was removed, Domain Controllers will display this error until they get a new certificate from a different CA. This is usually fixed by running “certutil -dcinfo deleteBad” to remove the offending certificates.