Hi,

I have installed a created a CA on one of our DC's to make it accept LDAPS connections (not nessasarily recommended I know).

It has worked and that DC has a one year certificate - will this be automatically renewed.

How can I get a certificate on our other DC - I had assumed it would also get one automatically?

If you install an Enterprise Root/Subordinate CA, it is automatically published into Active Directory. Normally you would need to configure a Certificate Template and GPO with Certificate Autoenrollment enabled to have your clients automatically request/renew a computer certificate.

But your Domain Controllers will automatically enroll a Domain Controller / Domain Controller Authentication certificate. And it wil also be renewed automatically.

Ok your reply is how I understood it...However I have 2 DC's: 1 with the CA installed on it it and another that is the PDC. The other (the PDC) is not receiving a certificate...? Is this normal?

I should also add that the DC which is the CA is running 2008 R2 and the PDC is 2012.

Tried doing it manually on the other DC and it was failing. I have now put authenticated users and interactive into the built in users group and it works fine, so I expect if I hadn't done it manually it would just download a cert fine?? What do you think?

Hi John555444,

Please refer the following related KB to confirm your GPO has configured correct,

AD CS: Computer autoenrollment should be enabled when an enterprise CA is installed

https://technet.microsoft.com/en-us/library/dd379529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

The similar thread:

Domain Controller template auto-enrolled by DC

https://social.technet.microsoft.com/Forums/windowsserver/en-US/87667cb8-dfab-4835-9733-b2d968ae8f3c/domain-controller-template-autoenrolled-by-dc

Im glad to be of help to you!