Thursday, April 14, 2016

active directory - Domain Controller promotion and certificate autoenrollment



I have this AD domain where a Windows Server 2003 SP2 Enterprise Root Certification Authority is operational, and certificate autoenrollment is enabled both for users and computers; all fine and good, every domain-joined computer automatically gets a Computer certificate issued. There are also two Windows Server 2003 SP2 domain controllers, which instead received a Domain Controller certificate; all fine and good, again.



Then I got a Windows Server 2008 R2 SP1 member server, which had already automatically enrolled a Computer certificate, and promoted it to domain controller. It didn't get any new one after the promotion, and no errors are logged anywhere: it looks like it simply decided that, having already a working certificate, it didn't need a new one.



What I want to know is:




  • Is there actually any difference between the Computer certificate template and the Domain Controller one?


  • Does it make any difference if a domain controller has one of the formers instead of one of the latters?

  • How can I force this domain controller to autoenroll a new certificate of the correct type for its role?








I tried revoking the existing certificate and rebooting the new DC; nothing happened.
Then I removed the existing certificate from the DC's local store and rebooted it again; nothing heppened this time, too.









I turned on autoenrollment logging, and I found there actually are some errors... when the new DC tries to enroll a certificate, it logs a bunch of errors:




  • Event ID 56: "Certificate enrollment for Local system for the template DomainController was not performed because this templte has been suerseded."

  • Event ID 46: "Certificate enrollment for Local system could not enroll for a Machine certificate. Read or enrollment access is not allowed for this template."


  • Event ID 47: "Certificate enrollment for Local system could not enroll for a DirectoryEmailReplication certificate. A valid certification authority cannot be found to issue this template."

  • Event ID 47: "Certificate enrollment for Local system could not enroll for a DomainControllerAuthentication certificate. A valid certification authority cannot be found to issue this template."

  • Event ID 47: "Certificate enrollment for Local system could not enroll for a KerberosAuthentication certificate. A valid certification authority cannot be found to issue this template."


Answer



Try certutil -pulse - this should check for templates the system has permission in, and enroll them. It should have no problem grabbing the certificate, as long as there's nothing crazy going on in the permissions settings on the template.



You'll definitely want to have your DCs have a Domain Controller-style certificate (Domain Controller is the old one; Domain Controller Authentication then Kerberos Authentication supersede it; if your CA is running enterprise edition, then consider switching to the newer Kerberos template) - while a lot of the functions that it satisfies will be handled by a Computer certificate, some of the DC-specific stuff like smart card authentication, the LDAP/SSL listener (I believe?), and with the newer Kerberos certificate, strong KDC validation, need the special certificate.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...