Trying to setup a domain controller cert with an alternate name
-
Friday, February 11, 2011 11:22 PM
Hi,
I'm running AD with Windows Server 2008 R2 DCs, and I also have an Enterprise CA running on Windows Server 2008 R2 Enterprise.
All the DCs have got their certs and LDAPS works fine.
We have an application that interacts with AD via LDAPS. While it currently binds to e.g. DC0.domain.local, it would be preferrable that it uses a more generic dns like PDC.domain.local, the latter being an alias pointing to DC0. In case DC0 packs up, I can update the DNS and no programmer time is required (don't ask).
Thing is, because the domain controller certificate is generated automatically, how can I amend the cert so that it answers for both dc0.domain.local *and* pdc.domain.local?
I've been trying to figure this one for a while, but so far no dice.
Comments welcome!
Regards,
... Alex ...
... Alex ...
All Replies
-
Friday, November 16, 2012 10:03 PMModerator
You would have to duplicate the certificate template and ensure that you select "Supply in the request" in the new certificate template. Then, from the DC, use the MMC - Certificates snap-in to go get a new certificate for the domain controller - include both names that you want in the request. This you would approve manually from the CA. Then, you would install on the DC, you will have both the subject name and subject alternative name.
This article should help with the request part: http://technet.microsoft.com/en-us/library/ff625722(v=WS.10).aspx
-
Saturday, November 17, 2012 12:10 AMYou may also be able to adapt this : http://support.microsoft.com/kb/321051
Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
.png)
