Trouble with Auto Certificate Deployment in Active Directory

By
William Rossbach
-
0
6
Asked By TechWhiz45 On

I've recently set up Active Directory Certificate Services (AD CS) and I'm hoping to use it for AD Authentication in Meraki and other applications down the line. I've used Group Policy to allow the Domain Controllers (DCs) to auto-enroll for certificates, but they've only received the "Directory Email Replication" template. Everything looks normal regarding groups, and the "Domain Controller Authentication" template is active and configured for enrollment and auto-enrollment. However, I'm not seeing any logs that explain what's being skipped. All I've managed to pull with certutil -pulse is that one certificate I don't need even after rebooting the machines. Does anyone have any suggestions?

3 Answers

Answered By NetworkNinja77 On

You might want to verify that the Domain Controller Authentication template is actually issued on your Certificate Authority (CA). Sometimes it can appear in the console but isn't actually listed under "Certificate Templates to Issue.” Also, check whether the template's security settings allow the Domain Controllers to both enroll and auto-enroll. Run `certutil -template` on one of the DCs to see if the template appears there. If it's missing, the CA may not be offering it. Don’t forget to check the AutoEnrollment event logs for more details too.

Answered By ServerGuru99 On

It sounds like you need to ensure that the Kerberos Authentication template is enabled for your Domain Controllers. Also, double-check if the auto-enrollment is set properly in your certificate client group policies. It's crucial to configure this correctly because misconfigurations can lead to significant privilege escalation issues.

Answered By SysAdminGamer On

It’s possible you missed installing the trusted root certificate in your Group Policy. For an internal CA, which is usually self-signed, you need to ensure this root certificate is deployed to the Trusted Root Certification Authorities of each domain system. If not, even if you ask the machines to retrieve new certificates, they won’t be able to use them. It's best to publish the root CA in the directory store so all domain members can access it automatically.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.