I have just installed AD CS on a member server and set it as the root/enterprise CA. There are no auto-enroll settings under "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment" in group policy for the Default Domain Policy nor the Default Domain Controller Policy however, my domain controller auto-enrolled for a certificate. It used the "Domain Controller" certificate template. I have run rsop on my DC and found there are a couple interesting settings applied by the Default Domain Controllers Policy. These are all under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options": "Domain member: Digitally encrypt or sign secure channel data (always)" - Enabled "Microsoft network server: Digitally sign communications (if client agrees)" - Enabled "Microsoft network server: Digitally sign communications (always)" - Enabled So, I'm curious if my DC is auto-enrolling the "Domain Controller" template because of these settings? If not, where else can I look to see what is causing my DC to auto-enroll this certificate? TIA.

Fredrik, You seem to be very knowledgeable in this area. Issues with autoenrollment have brought me here. 3 of my 4 DC's enrolled fine and were issued the V1 certificate. The last DC (PDC, RID, and IM) is throwing RPC unavailable errors. I now realize that i was using the old hard coded ACR since i never configured a group policy. I have done a lot of troubleshooting here but I am realizing that I should probably just stop now and setup AutoEnroll group policy with the newer V2 templates. Do you know of a reason why I would be having trouble with just 1 of my 4 DC's using the old ACR method? Will there be any problems implementing the V2 templates since the V1 templates have already been downloaded (i assume not)? Thank you in advance. Rob