This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I am very confused by the process of publishing Root and Intermediate certificates to AD and how they deploy to servers across an enterprise. When I publish the Root and Intermediate CA certs to the AIA and Certification Authorities Containers in AD, some servers will pull the new certificates into their trust stores and others will not.
When looking for any documentation around this process, I cannot find much. Does anyone out there know the process from beginning to end? Also, does anyone have an idea of why some would pull the certs from AD and others would not?
Thank you to anyone who can shed light on these dark times.
Let me ask this, is there a way to prevent a server from pulling these certificates from AD through configurations? What could one do to stop the autoenrollment process from downloading roots and intermediates from the AIA and Certificate Authorities containers in AD?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
These are live production servers. No network issues, regular restarts, but ___domain rejoins are out of the question. Any other ideas?
In this case you case you can export the root certificate from another server and installer it in all impacted servers manually in the right store.
Please don't forget to mark this reply as answer if it help to fix your issue
Thank you for your responses to my questions. I am trying to troubleshoot why the process is not working as expected. Let's say I am working in an environment with 50k windows servers. If some are not pulling these automatically, there is just too much volume to do this manually. A workaround will not solve the issues that I am facing. I am trying to get to the root of the issue (pun intended) so that I avoid any trust issues if a new CA was deployed.
When you say check Network flow, are you referring to network connectivity?
Yes
Please don't forget to mark this reply as answer if it help to fix your issue
These are live production servers. No network issues, regular restarts, but ___domain rejoins are out of the question. Any other ideas?
Try one of the following actions:
Please don't forget to mark this reply as answer if it help to fix your issue
When you say check Network flow, are you referring to network connectivity?
This is where I'm getting to. This is not occurring on all of our systems. The large majority are, but I am seeing some that are not. I am trying to narrow down why they may not be updating on some. Are there instances others have seen where this is an issue? I.e. something disabled on the system, some GPO blocking this, etc.
I am trying to understand the whole process so I can try and isolate it to something specific, but I cannot find a detailed description of the process end-to-end.