Certificate Authority LDAPS


I have installed a created a CA on one of our DC's to make it accept LDAPS connections (not nessasarily recommended I know).

It has worked and that DC has a one year certificate - will this be automatically renewed.

How can I get a certificate on our other DC - I had assumed it would also get one automatically?

May 30th, 2015 3:34am

If you install an Enterprise Root/Subordinate CA, it is automatically published into Active Directory. Normally you would need to configure a Certificate Template and GPO with Certificate Autoenrollment enabled to have your clients automatically request/renew a computer certificate.

But your Domain Controllers will automatically enroll a Domain Controller / Domain Controller Authentication certificate. And it wil also be renewed automatically.

Free Windows Admin Tool Kit Click here and download it now
May 30th, 2015 11:12am

Ok your reply is how I understood it...However I have 2 DC's: 1 with the CA installed on it it and another that is the PDC. The other (the PDC) is not receiving a certificate...? Is this normal?
May 30th, 2015 11:18am

I should also add that the DC which is the CA is running 2008 R2 and the PDC is 2012.
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2015 11:22am

Tried doing it manually on the other DC and it was failing. I have now put authenticated users and interactive into the built in users group and it works fine, so I expect if I hadn't done it manually it would just download a cert fine?? What do you think?
May 30th, 2015 12:07pm

Hi John555444,

Please refer the following related KB to confirm your GPO has configured correct,

AD CS: Computer autoenrollment should be enabled when an enterprise CA is installed


The similar thread:

Domain Controller template auto-enrolled by DC


Im glad to be of help to you!

Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2015 11:07pm


This has just confused things further. As far as I was aware from the earlier post Domain Controllers should get their certs automatically, and don't need autoenrollment settings. I don't want certs on our PC's just our DC's to make use of LDAPS for third party applications.

Kind Regards,


June 3rd, 2015 3:43am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics