About Domain Controller and Domain Controller Authentication Certificate RRS feed

  • Question

  • I'm taking over a new domain, where all my domain controllers are above Windows 2003.

    When I look at the auto-enrollment that my DCs get I see that the template used for the certificate is Domain Controller. Is this normal ? Should not the certificate build based on the "Domain Controller Authentication" template instead ?

    If I'm correct how to fix it ? should I just delete the "Domain Controller" template ?

    When I look at the template properties, I see the "Domain Controller" template being published in AD, and all the options a greyed out, and therefore cannot be modified.

    The "Domain Controller Authentication" template is not Published in AD, and all options are accessible.

    Thanks for your input

    Life is short, Enjoy it now. Cyreli

    Tuesday, December 11, 2012 10:34 PM


  • Hi,

    The main point for issuing certificates to domain controllers is "server authentication" is included in the key usage (intended puposes), if the current certificate template has that, you can keep it as it was. However, if you need to issue new certificates to domain controllers based on new certificate templates, you can remove the certificate template from issue list and add the new certificate template back to issue list as you want.


    • Proposed as answer by AndyChen Thursday, December 13, 2012 3:04 AM
    • Marked as answer by Cicely FengModerator Monday, December 17, 2012 2:14 AM
    Wednesday, December 12, 2012 9:32 AM
  • The best way is to modify the template using the Superseded Templates tab as discussed here:

    The latest and most feature rich template that you should be using with Domain Controllers is the Kerberos Authentication template. The only caveat is to watch the note about Windows Server 2003 SP1 event logs errors.

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: and

    Wednesday, December 12, 2012 1:24 PM

All replies