Hello All of our domain controllers are running Server 2008. Our issuing PKI server is also running Server 2008. Forest and domain functional level is set to Server 2008. I've decided to issue "Kerberos Authentication" certificates to all domain controllers. I've issued the template "Kerberos Authentication" with the default template settings. Then I've configured the autoenrollment settings in the default domain controller policy:Configuration Model: enabledRenew expired certificates, update pending certificates, and remove revoked certificates: yesUpdate certificates that use certificate templates: yes(as described in the Microsoft Press book "Windows Server 2008 PKI and Certificate Security") Soon after that all domain controllers pulled a certificate from the CA. So far everything worked fine. Now I've discovered that each domain controller is daily issued a new "Kerberos Authentication" certificate. For some domain controllers a certificate is issued every 8 hours and for some domain controllers every 24 hours. Is this behavior normal? With 4 domain controllers this might easy be some thousands certificate a day. The old certificates aren't automatically revoked. In the default template settings (which I've used) of the template "Kerberos Authentication" the options "Publish certificate in Active Directory" and "Do not automatically reenroll if a duplicate certificate exisists in Active Directory" are not enabled. Do I need to enable this settings if I don't want our domain controllers to renew their certificate daily / or even more times a day? thanks in advance regards,Yves

Hi,This is a known issue with "Kerberos Authentication" template. If you run "gpupdate /force", you may also get new "Kerberos Authentication" certificates.This issue should be fixed in Windows Server SP2. Sorry for the inconvenience this has brought. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.