We have an Enterprise Root CA running on a 2008 R2 Enterprise machine. I noticed an oddity that raises a question. We have two DCs on the local network. They hold all the FSMO roles between them. They are the primary and secondary DNS servers for the server hosting the CA. One of the local DCs (based on %LOGINSERVER%) is processing authentication for the login console on the CA host. When I first logged in and loaded the Certificate Templates Console, it connects to DC server in the MPLS cloud on the other side of the country. I CAN home the Certificates Templates Console on one of the local DCs manually, but if I try to go back to "Default Writable Domain Controller" is always homes back on the server out west. To be clear, either way, it works fine. If I am connected to the remote server for template management, I have to wait for (or force) replication for the local CA to be able to actually use the modified certiticate template, but otherwise, it works as expected. My question becomes, what determines "Default Writable Domain Controller"? All the sites are correctly defined. Replication is working as designed. Why would my local server EVER connect to a server on the other side of a "slow" link when there's a DC setting on the same network (presumably zero cost)? I'm moderately concerned that there is something amiss in the configuration that I haven't found, and that this is an innocuous symptom of the problem.

I can do that, but next time i get into this, the default is back to what it was. How can i change the DEFAULT Writeable Domain controller. The one it points to is not one that holds the FSMO roles, it is in fact the very first DC i ever installed (many years ago).

My question REMAINS , what determines "Default Writable Domain Controller"? In my case, it wasn't even the first DC ever installed. I'm in Detroit, the DC being selected by the Certificate Templates snap-in is in Phoenix!?! This has to be driven by something: it's not alphabetical, it's not numerical (by IP anyway), the "Default..." machine doesn't hold any roles, and isn't patched or updated any differently than the three DCs on the local wire. HECK, IT EVEN HAPPENS WHEN I RUN THE SNAP-IN ON A LOCAL DC.

Right-click the Certificate Templates snap-in, and click Connect to another writable domain controller. Then you can connect other writable DC. Yeah (as indicated in the original post) I know. But why does it select a remote server as the "Default"?

BUMP?

CAll uses DSGetDCName and unfortunately, from the computer you are using, the server you connect to is the one that responded. You cannot set a default DC to connect to. What I always do in consulting engagements is define certificate templates before - a coffee break - lunch - end of day Basically, any time that we are going to wait at least 15 minutes before we try and use/publish the certificate templates. This ensures that replication takes place. To be honest, as you have stated, it does not matter which DC you connect to to create the templates. All you need is patience to ensure that replication has occurred before usage. Brian

Now THAT'S an MVP worthy response! Thanks Brian