Replacing legacy Domain Controller Certificates

By | November 21, 2012

Something you may have noticed in your journey on the road to AD enlightenment is that if you deploy a new Microsoft Enterprise Certificate Authority (CA) and publish the default templates, your Domain Controllers will automatically enroll for a certificate.  The template used is the DomainController V1 certificate, which has been around since Windows 2000 days.

cert3

But what if you wanted to assign a different certificate based on the most recent template designed for use with DCs (KerberosAuthentication)? Easy, you would think, given that the DCs have this in-built autoenrollment capability. All I would need to do is unpublish the old DomainController template, publish the new KerberosAuthentication template, ensure that DCs have autoenroll permissions on the template and then perform a Certutil –pulse command on the DCs. Right? Wrong. It’s actually not that straightforward. From what I have managed to infer (no one will provide me with a definitive answer) it seems the in-built auto-enrollment feature of Domain Controllers is tied specifically to the legacy DomainController template. In other words it will only work with the DomainController template and no other.

The only way I can get the DCs to successfully autoenroll for a certificate based on the KerberosAuthentication template is to follow the steps shown below.

1. Ensure the Domain Controllers group has permissions on the KerberosAuthentication template (it has by default).

cert4

2. Modify the properties of the KerberosAuthentication template to add the DomainController, DirectoryEmailReplication and DomainControllerAuthentication templates to the list of superseded templates

cert5

3. Publish the KerberosAuthentication template

4. Modify a GPO linked to the Domain Controllers OU to enable the “Certificate Services Client – Auto-Enrollment setting as shown below.

cert1

cert2

5. Wait for policy to apply to the DCs (or run gpupdate /force).

6. Run certutil –pulse from an elevate CMD prompt to force re-enrollment.

7. Confirm that a new certificate has been issued based on the KerberosAuthentication template and that the old certificate based on the DomainController template has been automatically removed.

8 thoughts on “Replacing legacy Domain Controller Certificates

  1. Christian Schindler

    I recently setup a new DC based on Windows Server 2012. It seems that microsoft did change the behavior for automatic cert enrollemtn in 2012: I didn’t modify the Kerberos Auth. Template at all, but my new DC automatically enrolled a cert based on this template(in addition to “Domain Controller” and “Directory Replication”). Christian

    Reply
    1. admin Post author

      Hi Christian

      That’s interesting. I have just tested this in my 2012 lab environment and my DC certificate was issued using the legacy DomainController template. I wonder whether the template used depends on the cryptographic provider and hash algorithms chosen during the CA setup? I simply used the defaults.

      Tony

      Reply
  2. habibalby

    Hello,
    I don’t have KerberosAuthentication under my 2003 CA Certification Template. How can I bring that? I need it for purpose of LDAP / SSL authentication where Oracle Web Sever will authenticate against domain controllers.

    I do have two certificates issued from the same server on both DCs.

    Any help?

    Reply
  3. Andreas Lundgren

    @Christian – Do you perhaps have Certification Auto-Enrollment enabled somewhere in your GPOs? Otherwise the domain controller defaults to only requesting, just as Tony says, a simple DomainController certificate.

    /A

    Reply
  4. Andreas Lundgren

    @Christian – Do you perhaps have Certification Auto-Enrollment enabled somewhere in your GPOs? Otherwise the domain controller defaults to only requesting, just as Tony says, a simple DomainController certificate.

    /A

    Reply
  5. Peter Siffredi

    Interesting, I’m seeing exactly this behaviour. I’ve :
    – installed a new 2012 DC
    – loaded a duplicate domain controller template
    – removed the old domain controller templates from my 2003 CA
    – Ran a gpupdate on my DC

    At no point does my DC pick up a cert from the new DC, but I can manually enroll for one

    Reply
  6. Andreas Lundgren

    Peter, when you duplicated the domain controller template it got upgraded to a newer version (more than v1, which is what the old one was and what is apparently used for assigned certificates) – thus it will not be used by the domain controllers UNLESS you enable certificate auto-enrollment.

    /A

    Reply
  7. Andreas Lundgren

    Peter, when you duplicated the domain controller template it got upgraded to a newer version (more than v1, which is what the old one was and what is apparently used for assigned certificates) – thus it will not be used by the domain controllers UNLESS you enable certificate auto-enrollment.

    /A

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.