Domain Controller Certificate Autoenrollment Not Working

Certificates that were issued or autoenrolled from a previous forest will not be removed unless the machine is a domain controller.

Domain controller certificate autoenrollment not working. Domain controller not auto enrolling kerberos certificate from new 2016 ca. On the general tab type a name for the new template then go to the security tab. Any issued certs should appear in the log as event id 18 s or 19 s. But it s not self enrolling the winrm certificate that i really want it to.

In the console expand the following path. Non domain controllers are getting certificates for winrm and are working as expected and the domain controllers did self generate a few certificates too. All domain controllers are hard coded to automatically enroll for a certificate based on the domain controller template if it is available for enrollment at a certificate authority in the forest. Active 3 years 3 months ago.

If the domain controller certificate template is not. Autoenrollment automatically downloads and manages trusted root certificates cross certificates and ntauth certificates from active directory into the local machine registry for domain joined machines. Removal of certificates on domain join change domain when a machine is removed from a domain or added to a new domain all the downloaded certificates from active directory will be removed and refreshed if applicable. The following stores are located under the following ds path.

Right click the certificate templates folder and choose manage. Ask question asked 3 years 4 months ago. Hard coded in this case means it is in the code it is not configured in any local or domain based policy. Computer configuration policies windows settings security settings and then public key policies.

Search for the user template right click it and choose duplicate. Double click default domain policy. Troubleshooting one of the most important and versatile parts of the windows pki world is a fairly complex process since it involves a plethora of prerequisites in order for it to work correctly. Viewed 6k times 1.

In the application event log refresh the log to see what happens during autoenrollment. Two computer autoenrollment messages start stop should occur first followed by two user autoenrollment messages start stop in 30 sec. The properties dialog box opens. Everything seemed stable except i had a few rodcs and writeable dcs that were showing failed requests in the ca for their auto.

This is one of the few cases where windows will auto enroll for a certificate without auto enrollment being configured in group policy. All users who log on to the machine inherit the trust and downloaded certificates that are downloaded and managed by autoenrollment. Click public key policies. I migrated a windows 2008 r2 dc and enterprise root ca to a new windows 2016 dc and ca.