my DCs aren't renewing their Domain Controller certificate
-
Saturday, June 16, 2012 2:56 PM
I have a 2008 R2 DC server running as a CA at site 1.
I also have 2008 R2 DC's at site 2 and site 3. The DCs at site 2 and 3 are NOT auto-renewing their Domain Controller certificate.
Is this something 2008 R2 DCs should do automatically, or must I have appropriate GPO settings so they renew their Domain Controller certificate? I thougth this was automatic.... What should I check first to see why they are not getting a new cert (the current one is expiring in 2 days)? I checked my CertSVC_DCOM_ACCESS group and the Domain Controllers group IS a member of it already.
Thanks.
All Replies
-
Sunday, June 17, 2012 8:37 AM
A DC will request or renew its DC certificate automatically if:
- Autoenrollment is not enabled and at least one Ent CA is publishing the "Domain Controller" v1 certificate template
- Autoenrollment is enabled and at least one Ent CA is publishing the "Domain Controller Authentication" v2 certificate template
It is recommended to enable AutoEnrollment and use the v2 domain controller templates, to enable autoenrollment check the steps in the "Configure Computer Certificate Autoenrollment" guide http://technet.microsoft.com/en-us/library/cc732311(v=ws.10).aspx
/Hasain
- Marked As Answer by Elytis ChengModerator Wednesday, June 27, 2012 5:04 AM
.png)
