I have just installed AD CS on a member server and set it as the root/enterprise CA. There are no auto-enroll settings under "Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment" in group policy for the Default Domain Policy nor the Default Domain Controller Policy however, my domain controller auto-enrolled for a certificate. It used the "Domain Controller" certificate template. I have run rsop on my DC and found there are a couple interesting settings applied by the Default Domain Controllers Policy. These are all under "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options": "Domain member: Digitally encrypt or sign secure channel data (always)" - Enabled "Microsoft network server: Digitally sign communications (if client agrees)" - Enabled "Microsoft network server: Digitally sign communications (always)" - Enabled So, I'm curious if my DC is auto-enrolling the "Domain Controller" template because of these settings? If not, where else can I look to see what is causing my DC to auto-enroll this certificate? TIA.

DCs are hard configured to enroll this V1 certificate template through Automatic Certificate Request Settings. It is something that is just "turned on" Brian

DCs are hard configured to enroll this V1 certificate template through Automatic Certificate Request Settings. It is something that is just "turned on" A good thing to clearify is that the ACR for the "Domain Controller" template is NOT in the default domain controllers policy, but hard-coded into the OS just as you say. The "Domain Controller" template is superseded by the "Domain Controller Authentication" template and the "Directory Email Replication" template and all DC's will enroll for those templates instead of the old Domain Controller template as soon as autoenrollment gets configured for the DC's. When that is configured, no DC will enroll certificates using the old Domain Controller template anymore, but will get certificates according to the templates "Domain Controller Authentication", "Directory Email Replication" and "Kerberos Authentication" using auto-enrollment. This requires of course that the super-seeding templates are available on the CA! ;)// Fredrik "DXter" Jonsson - http://www.poweradmin.se

Fredrik, You seem to be very knowledgeable in this area. Issues with autoenrollment have brought me here. 3 of my 4 DC's enrolled fine and were issued the V1 certificate. The last DC (PDC, RID, and IM) is throwing RPC unavailable errors. I now realize that i was using the old hard coded ACR since i never configured a group policy. I have done a lot of troubleshooting here but I am realizing that I should probably just stop now and setup AutoEnroll group policy with the newer V2 templates. Do you know of a reason why I would be having trouble with just 1 of my 4 DC's using the old ACR method? Will there be any problems implementing the V2 templates since the V1 templates have already been downloaded (i assume not)? Thank you in advance. Rob