π ~1 min read
Table of contents
Symptom & Impact
The Kerberos Key Distribution Center service on Windows Server 2019 fails to start because UDP/TCP 88 is already bound. Without KDC, domain authentication fails, services that rely on tickets break, and member servers cannot validate logons.
Environment & Reproduction
Reproduce after an unrelated agent grabs port 88 or a misconfigured firewall captures the listener. Inspect netstat output and the System log.
Get-Service -Name kdc
Get-WinEvent -LogName System -MaxEvents 40
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10Root Cause Analysis
Causes include a third-party Kerberos appliance, monitoring agent listening on 88, or a packet capture tool that did not release the socket cleanly.
Quick Triage
Identify the PID holding port 88 and capture the KDC error event before changing service state.
sc.exe query kdc
Get-Service -Name kdc | Select-Object Status,StartType
Get-EventLog -LogName System -Newest 30 | Where-Object {$_.Source -match 'kdc'}Step-by-Step Diagnosis
Locate the conflicting process bound to port 88 and read KDC error events.
Get-WinEvent -LogName System -MaxEvents 50 | Where-Object {$_.ProviderName -match 'kdc'} | Select TimeCreated,Id,LevelDisplayName,Message
sc.exe qfailure kdc
sfc /verifyonly
Solution β Primary Fix
Stop the conflicting listener or relocate it to a different port, then start KDC and validate ticket issuance.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Restart-Service -Name kdc -Force
Get-Service -Name kdc | Select-Object Status,StartType
Get-WinEvent -LogName System -MaxEvents 20 | Where-Object {$_.ProviderName -match 'kdc'}
Solution β Alternative Approaches
If the conflict cannot be eliminated, move the affected role to another DC and demote the offending host.
sc.exe config kdc start= auto
sc.exe failure kdc reset= 86400 actions= restart/60000/restart/60000/run/1000
Restart-Service -Name kdc -ForceVerification & Acceptance Criteria
KDC runs, port 88 is bound by lsass.exe, and domain logons succeed across member servers.
Get-Service -Name kdc
Get-WinEvent -LogName System -MaxEvents 25 | Where-Object {$_.ProviderName -match 'kdc' -and $_.LevelDisplayName -eq 'Error'}
Test-NetConnection -ComputerName localhost -Port Rollback Plan
Restart the previously running listener with its previous configuration to restore the prior state.
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5
wbadmin get versions
# Restore previous configuration export if availablePrevention & Hardening
Reserve port 88 in deployment standards and block any agent installer that attempts to take it on DCs.
Get-Service -Name kdc | Export-Clixml C:/Temp/kdc-baseline.xml
Get-WinEvent -LogName System -MaxEvents 50 > C:/Temp/kdc-events.txt
Get-ScheduledTask | Where-Object {$_.TaskName -match 'kdc'}Related Errors & Cross-Refs
Linked to events 7024, 14, and Kerberos failure 0xC0000022.
Related tutorial: View the step-by-step tutorial for Windows Server 2019.
View all Windows Server 2019 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft Learn references for KDC troubleshooting on Windows Server 2019.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
