Windows 2003 AD - SSL Certificate Autoenrollment

Posted on 2007-07-20
Medium Priority
Last Modified: 2008-05-30

What is the best way to prevent the default SSL cert's (for AD replication) being applied to one particular DC in my environment.

I need to install a publicly signed SSL certificate on the DC for authentication purposes (Thawte) and I need to ensure that the domain controller certificate issued to Domain Controllers for replication is not reinstalled through autoenrollment when I delete it and reboot the DC?

I only want to prevent this on one DC.  

I have tried various options including installing the Thawte cert, assigning it the server authentication role, assigning the default cert no role (have deleted as well), but as soon as the DC is rebooted, teh default cert takes over again.

Question by:glennbrown2
LVL 26

Accepted Solution

Pber earned 1000 total points
ID: 19530459
I noticed you asked a similar question for 2000.  Even though the solutions look the same, there are slight differences in the template name and enroll and autoenroll options.

You can' t set autoenrollment for a specific server.  To do what you want to do, you would need to remove the Autoenroll option on the that template.   Just load the certificate templates MMC, select the Domain Controller Authentication template and then select the security TAB.  Select the Domain Controllers security principal and then deselect the Autoenroll and click Apply.
This will remove autoenrollment for ALL DC's

A way around it, would be to remove the Domain Controllers group from the security TAB, then add the specific domain controllers by name, excluding the one that you don't want.
LVL 16

Expert Comment

ID: 19531090
You can prevent SSL certifcates from being applied.
See http://support.microsoft.com/kb/187498

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question