Hello,
 I've recently implemented a Windows 2012 PKI infrastructure using an Enterprise CA. This was due to replace my 2003 Enterprise CA. The old 2003CA had the following setup:

2003CA
- domain joined root enterprise issuing CA on 2003 SP 2
- A combination of default and custom certificate templates loaded.
- Default templates loaded: Domain controller authentication, Directory Email Replication and Domain Controller
- Certificate information published to AD, including AIAs and CDP

2012CA (New PKI)
- offline non domain joined root CA on Windows 2012
- Subordinate domain joined enterprise issuing CA running Windows 2012
- Only HTTP being used for AIA and CDP locations
- Enterprise CA can be found in AD using sites and services container, but the root CA has been distributed using a GPO and not "dspublish"

 I've successfully created a copy of the computer certificate template and computers are autoenrolling, but my DCs are not autoenrolling. I have tried the following on DCA to ensure that my 2008 DCs automatically pickup the correct certificate:

 - Deleted the certificate templates for DomainController, Domain Controller Authentication and Directory Email Replication from my 2003CA

- Loaded custom copies of DomainController, Domain Controller Authentication and Kerberos Authentication on my 2012IssuingCA, as well as the default Kerberos authentication on my 2012IssuingCA

- Ensured that Domain Controllers and Enterprise DCs have read and Enroll permissions on 2012IssuingCA

- The default domain GPO is configured to allow auto renewal of certs

- Deleted the 2003 DomainController cert from DCA. Ran "gpupdate /force" and "certutil -pulse" a dozen times on DCA, but at no point does DCA pickup a cert from my new CA.

 If re-enable the certificate templates on my old CA, DCA automatically picks up a new cert. I've tried the superscedence tick as mentioned here, but that fails: http://www.open-a-socket.com/index.php/2012/11/21/replacing-legacy-domain-controller-certificates/#comment-18410

Event logs show certificate information

Informational - Certificate enrollment for Local system successfully load policy from policy server
Informational - Certificate enrollment for Local system is successfully authenticated by policy server {F272DA51-8D9D-442E-8D7E-72BBF9C0E6CE}
Error - Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from contoso.com\Contoso Old Enterprise CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

I can manually enroll the DC certs without an issue, but that's not what I want.

Thanks in advance

No, reply. OK, if someone can point me in the right direction for 2008 R2 DomainController Certificarte Template auto enrollment configuration and permission settings from a Windows 2012 CA that would be helpful...

Cheers

Hi,

Ensured that Domain Controllers and Enterprise DCs have read and Enroll permissions on 2012IssuingCA

Please add Auto-Enroll permission on necessary Certificate Templates.

Best Regards,

Ah, this is an easy one. Domain Controllers by default are configured to work only with the V1 Domain Controller template. When you create your own template, it can not be a V1 template. So you can no longer use/rely on the built in DC process to enroll. You will need to mark your new template to enable AUTO ENROLL for the Enterprise Domain Controllers group and then you will need to modify the Default DOMAIN CONTROLLERS GPO - note this is NOT the same as the Default Domain policy. In the GPO you will need to enable the Auto Enroll feature  for computer objects. Your new template with Auto Enroll will then be picked up.

Also, there is no need to have all three templates - Domain Controller, Domain Controller Authentication and Kerberos Authentication on the CA. They all provide practically the same thing for DCs. If you use the Kerberos Authentication one, you dont need the other two.