I would try recycling Netlogon Brian Has this not changed with W2k8? In 2003 triggering autoenroll was tied to netlogon and GPO refresh (not as part of GPO but was triggered to start just after a refresh) As of w2k8 all this seems to be a scheduled task, and I'm not shure what triggeres it anymore. On w2k8 servers I have also observed that autoenrollment sometimes does not trigger before a reboot (I have not tried recyceling Netlogon on these). Just curious if the shift in w2k8 also changed the trigger events for autoenrollment? EDIT: TS: if the service that has the certificated bound does not recycle at some point after a new certificate is delivered (or there is support for it in the service using the certificate) the old certificate will continue to be used (as it is cached). So the service needs to be able to automatic detect certificate change or a "manual" recycle is the only option to get it to pick the new one. Or as in some applications one has to enter the management console to choose the new certificate.

All of our DC's have received their TLS certificates via autoenrollment for several years. Recently, someone in the directory services group complained that a service outage occurred because of an expired DC certificate and that although the DC had a new certificate, it was still presenting the old, expired one. He explained that he is now rebooting the DC's every time they get a new cert. Can someone comment on that? Is rebooting really necessary? Is there a service we can recycle instead?

I would try recycling Netlogon Brian

I would try recycling Netlogon Brian Has this not changed with W2k8? In 2003 triggering autoenroll was tied to netlogon and GPO refresh (not as part of GPO but was triggered to start just after a refresh) As of w2k8 all this seems to be a scheduled task, and I'm not shure what triggeres it anymore. On w2k8 servers I have also observed that autoenrollment sometimes does not trigger before a reboot (I have not tried recyceling Netlogon on these). Just curious if the shift in w2k8 also changed the trigger events for autoenrollment?