Domain Controller Certificate Template Not Available

Moved by cicely feng wednesday december 12 2012 9 33 am.

Domain controller certificate template not available. Thanks for your input. The domain controller authentication template is not published in ad and all options are accessible. In this scenario the certification authority does not publish the issued certificates to the user s domain server object in the single. If you do not already have domain controller certificates nexus will issue such certificates for you.

Certificate template requires multiple 2 or more registration authority ra signatures in the issuance requirements tab. If you need more information about the new certificate templates shipped with a windows 2008 ca you can read this article. Membership in both the enterprise admins and the root domain s domain admins group is the minimum required to complete this procedure. It replaces the domain controller authentication template.

Life is short enjoy it now. Before you perform this procedure you must configure a server certificate template by using the certificate templates microsoft management console snap in on a ca that is running ad cs. Certificate template requires private key archival in ca database and ca that supports this template certificate is not presented in the certs kra local store or fails validation check. When i look at the template properties i see the domain controller template being published in ad and all the options a greyed out and therefore cannot be modified.

If the domain controller certificate template is not available and enhanced logging for auto enrollment is enabled you will see the following event in the application log of a domain controller. On the compatibility tab clear the show resulting changes check box. Select windows server 2008 r2 from the certification authority list. When you install windows 2008 certification authority a new domain controller certificate template named kerberos authentication is available.

The enterprise ca is located on the parent domain. The domain controllers do not have the hotfix 327825 installed. This process is secure since the key never leaves the domain. On the general tab type domain controller authentication kerberos in template display name.

The user either in the single level or parent domain enrolls in the single level certification authority or the parent certification authority. This is one of the few cases where windows will auto enroll for a certificate without auto enrollment being configured in group policy.