From my experience, when setting up a new CA (with all default templates published) Domain Controllers automatically acquire a certificate from the CA based on the V1 DomainController template. I am in the process of testing the replacement of an old Enteprise CA with a new PKI infrastructure. As part of this I am planning to revoke the old DC certificates and would like the DCs to then automatically aquire a certificate from the new issuing CAs. To do this I have created a duplicate template from the DomainControllerAuthentication V2 template and have set security to allow DCs to enrol and autoenrol. However, in my lab environment the DCs don't automatically acquire this certificate. I can manually request the certificate with no issues, but I would like this to be an automatic process for when certificates expire or when new DCs some online. What am I missing? I've looked for documentation on how DCs automatically acquire certificates but have not found anything useful.Alexei

> However, in my lab environment the DCs don't automatically acquire this certificate this is because DCs don't know whether this is the right template. > To do this I have created a duplicate template from the DomainControllerAuthentication V2 you don't need to do that. Instead, you should use one of the predefined templates: Domain Controller Authentication or Kerberos Authentication. Domain controllers automatically enrolls certificates based on these templates automatically if necessary.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

you shouldn't revoke the certificate. Instead, you should delete existing certificate and force autoenrollment trigger.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims Thanks for the response. I've just carried out a whole lot of testing in my lab. The only way I can get DCs to automatically acquire a new cert is to publish the DomainController V1 template from the old CA. The following tests failed to result in the DC automatically acquiring a new cert: Publish DomainControllerAuthentication template on old CAPublish DomainControllerAuthentication template on new CAPublish KerberosAuthentication template on old CAPublish KerberosAuthentication template on new CAPublish DomainController template on new CA My method for testing was to first revoke any previous certs issued to the DC, publish the CRL, delete the cert manually from the DC and then reboot. Any thoughts on why this is happening? Again, my goal is simply to have the DCs automatically acquire a new cert based on the DomainControllerAuthentication V2 template.Alexei

Thanks for the response Vadims. I have a workaround to the problem. Basically, I have to enable the "Certificate Services Client - Auto-Enrollment" in Group Policy and apply this setting to the DCs (see below). With this setting in place (and with the legacy templates added to the superseded list in the KerberosAuthentication template) the old cert gets automatically updated with a new one based on the KeberosAuthentication template. From this it seems as if the built-in auto-enrollment behaviour only ever targets the V1 template. Are you able to confirm whether this is in fact the case? Alexei

I think, yes. Since I always enable autoenrollment policy (even if it is not used at this point), I can't tell about exact behavior. But I guess that this is the case, because DCs have autoenrollment permissions on new V2 templates.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks VadimsAlexei

If you *really* wanted you could publish a new template and mark the old DomainController template as superseded. Then you must right-click the new template and choose "Re-enroll certificate holders" (assuming the DC:s have an autoenrolled certificate from the old template). Or try "certutil -pulse" on the DC.

Hi Anders Already tried that. The DCs still won't auto-enroll against a new template using the built-in mechanism. It seem the mechanism is tied to the V1 templates.Alexei