So I have a Domain Controller on 2008r2 and a member server 2008r2(non DC). I installed an Enterprise CA on the member server. Will the DC after particular amount of time look up the new CA and get the KDC or do I have to explicitly run certutil -pulse. I my earlier experience I remember that the DC's would automagically see the new Enterprise CA and retrieve the domain controller certificate. I just want to know were I can find the settings that would tell me how long before the DC would look for a new Enterprise CA

> Will the DC after particular amount of time look up the new CA and get the KDC or do I have to explicitly run certutil -pulse. DCs automatically recognize new CAs in the forest. And if it is necessary, automatically obtain Domain Controller Auth. certificate. As far as I remember, DCs will see new CAs at next GP processing period.http://www.sysadmins.lv

I looked more into the GP policy update as you suggested, but it seems that the GP policy update for DC's by default happens every 5 min by default if not explicitly set. In my case, the DC did not get a new certificate for atleast an hour or so. Well it never got the KDC, until I used certutil -pulse. I am thinking their might be something other settings out their that need to be modified. I will try to manually set the GP setting for DC in the GP editor under Computer Configuration\Administrative Templates\System\Group Policy and test it again. Maybe the 5 min default somehow is not being triggered if you have a custom group prolicy created and enabled

try to restart DC.http://www.sysadmins.lv

I had restarted the DC, and it had worked, but that is what I am trying to avoid. As in the real world, we wont be able to restart DC's. I am settiing up the CA, via the vbs script provided by microsoft in its PKI blogs found here http://blogs.technet.com/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx So basically I am trying to automate the whole process of CA install, issuance of templates and required certs for Smartcard logon.

so going through the group policies, it seems like the Domain Controller should refresh the group policy every 5 min or so. So Basically enabled both the default Domain Group policy and the default Domain Controller group policy and setup a refresh interval of 3 min. Still the DC does not get the certificate. Only way to get the certificate is to either run CertUtil -pulse. Or run gpudate /force on the DC. I am quite sure their has to be another way for DC to get a DC cert

domain controllers perform group policy *background* refresh each 5 minutes (by default). So you may have to wait up to 90 minutes when all policies are refreshed in the same manner as gpupdate with /force switch.http://www.sysadmins.lv