7,023 questions
Hi
You can follow the link below:
public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services
Please don't forget to mark this reply as answer if it help you to fix your issue
Why when I deploy my roots and intermediate CA Certificates to AD do some servers automatically download them and others do not?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Chamby112
1
Reputation point
I am very confused by the process of publishing Root and Intermediate certificates to AD and how they deploy to servers across an enterprise. When I publish the Root and Intermediate CA certs to the AIA and Certification Authorities Containers in AD, some servers will pull the new certificates into their trust stores and others will not.
When looking for any documentation around this process, I cannot find much. Does anyone out there know the process from beginning to end? Also, does anyone have an idea of why some would pull the certs from AD and others would not?
Thank you to anyone who can shed light on these dark times.
Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other
20,214 questions
Windows for business Windows Server Devices and deployment Configure application groups
12 answers
Sort by: Oldest
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2020-10-22T22:05:28.03+00:00 -
Chamby112 1 Reputation point
2020-10-22T22:27:55.037+00:00 Hi,
Thank you for this response, but I am looking for a little more depth about the overall process. I have Enterprise CA's deployed, and their certs are already all published to AD. What I am wondering is what is the background process that helps get that certificate deployed throughout the enterprise.
I believe it is the Autoenrollment feature on clients (Servers and Workstations) that initiates the check-in, and the files are downloaded. But is that feature enabled by default? How would I check to see if it is enabled on a ___domain-joined system that does not have the certs in its trust store but has been joined to the ___domain for years?
Sign in to comment -
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2020-10-22T23:04:17.147+00:00 Hi,
If you have installed enterprise PKI , all member machines will detect the certificate automatically when you restart it or run the following command manually:
certutil -pulseIf the client is unable to detect the root certification automatically, I think it may be network flow issue.
Please don't forget to mark this reply as answer if it help to fix your issue
-
Chamby112 1 Reputation point
2020-10-22T23:19:47.297+00:00 This is where I'm getting to. This is not occurring on all of our systems. The large majority are, but I am seeing some that are not. I am trying to narrow down why they may not be updating on some. Are there instances others have seen where this is an issue? I.e. something disabled on the system, some GPO blocking this, etc.
I am trying to understand the whole process so I can try and isolate it to something specific, but I cannot find a detailed description of the process end-to-end.
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2020-10-22T23:25:46.613+00:00 Try one of the following actions:
- Check network flow
- Restart impacted servers and launch the following command certutil -pulse
- Rejoin impacted server to ___domain
Please don't forget to mark this reply as answer if it help to fix your issue
-
Chamby112 1 Reputation point
2020-10-22T23:29:55.773+00:00 When you say check Network flow, are you referring to network connectivity?
Sign in to comment -
Thameur-BOURBITA 36,261 Reputation points Moderator
2020-10-22T23:31:56.59+00:00 When you say check Network flow, are you referring to network connectivity?
Yes
Please don't forget to mark this reply as answer if it help to fix your issue
-
Chamby112 1 Reputation point
2020-10-22T23:34:12.997+00:00 These are live production servers. No network issues, regular restarts, but ___domain rejoins are out of the question. Any other ideas?
Sign in to comment -