7,023 questions
When you say check Network flow, are you referring to network connectivity?
Yes
Please don't forget to mark this reply as answer if it help to fix your issue
Why when I deploy my roots and intermediate CA Certificates to AD do some servers automatically download them and others do not?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Chamby112
1
Reputation point
I am very confused by the process of publishing Root and Intermediate certificates to AD and how they deploy to servers across an enterprise. When I publish the Root and Intermediate CA certs to the AIA and Certification Authorities Containers in AD, some servers will pull the new certificates into their trust stores and others will not.
When looking for any documentation around this process, I cannot find much. Does anyone out there know the process from beginning to end? Also, does anyone have an idea of why some would pull the certs from AD and others would not?
Thank you to anyone who can shed light on these dark times.
Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other
20,211 questions
Windows for business Windows Server Devices and deployment Configure application groups
12 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2020-10-22T23:31:56.59+00:00 -
Chamby112 1 Reputation point
2020-10-22T23:34:12.997+00:00 These are live production servers. No network issues, regular restarts, but ___domain rejoins are out of the question. Any other ideas?
Sign in to comment -
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2020-10-22T23:38:31.39+00:00 These are live production servers. No network issues, regular restarts, but ___domain rejoins are out of the question. Any other ideas?
In this case you case you can export the root certificate from another server and installer it in all impacted servers manually in the right store.
Please don't forget to mark this reply as answer if it help to fix your issue
-
Chamby112 1 Reputation point
2020-10-22T23:45:20.3+00:00 Thank you for your responses to my questions. I am trying to troubleshoot why the process is not working as expected. Let's say I am working in an environment with 50k windows servers. If some are not pulling these automatically, there is just too much volume to do this manually. A workaround will not solve the issues that I am facing. I am trying to get to the root of the issue (pun intended) so that I avoid any trust issues if a new CA was deployed.
Sign in to comment -
-
Chamby112 1 Reputation point
2020-10-22T23:39:38.347+00:00 Let me ask this, is there a way to prevent a server from pulling these certificates from AD through configurations? What could one do to stop the autoenrollment process from downloading roots and intermediates from the AIA and Certificate Authorities containers in AD?
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2020-10-22T23:55:21.007+00:00 the download of the root certificate is not related of the auto-enrollment process.
It is not the same process. the root certificate can be detected via the certutil -pulse command or by restarting the server if the network connectivity is ok.
On the other hand, we can speak of auto-enrollment when you create a certificate template, then you allow the servers in question the to auto-enroll on this template and finally activate auto-enrollment through GPO. -
Chamby112 1 Reputation point
2020-10-23T01:00:02.517+00:00 Ahh now we are getting to the meat and potatoes. My understanding was the same, but this is where my confusion resides. To quote Brian Komar in "Windows Server 2008 PKI and Certificate Security" under the section on Publishing Certificates and CRLs into AD DS (pg. 133), it states "The next time Group Policy is applied to a computer that is a member of the forest, certificates will be automatically added to the trusted root or intermediate CA store of the local machine through the autoenrollment mechanism."
This was the original intent of this post was to get clarity on this exact issue. Are the references to autoenrollment different for these certs vs. what is used for say autoenrollment of a device authentication cert, or does it leverage the same process?