Windows 2003 AD - SSL Certificate Autoenrollment

Posted on 2007-07-20
Last Modified: 2008-05-30

What is the best way to prevent the default SSL cert's (for AD replication) being applied to one particular DC in my environment.

I need to install a publicly signed SSL certificate on the DC for authentication purposes (Thawte) and I need to ensure that the domain controller certificate issued to Domain Controllers for replication is not reinstalled through autoenrollment when I delete it and reboot the DC?

I only want to prevent this on one DC.  

I have tried various options including installing the Thawte cert, assigning it the server authentication role, assigning the default cert no role (have deleted as well), but as soon as the DC is rebooted, teh default cert takes over again.

Question by:glennbrown2
    LVL 26

    Accepted Solution

    I noticed you asked a similar question for 2000.  Even though the solutions look the same, there are slight differences in the template name and enroll and autoenroll options.

    You can' t set autoenrollment for a specific server.  To do what you want to do, you would need to remove the Autoenroll option on the that template.   Just load the certificate templates MMC, select the Domain Controller Authentication template and then select the security TAB.  Select the Domain Controllers security principal and then deselect the Autoenroll and click Apply.
    This will remove autoenrollment for ALL DC's

    A way around it, would be to remove the Domain Controllers group from the security TAB, then add the specific domain controllers by name, excluding the one that you don't want.
    LVL 16

    Expert Comment

    You can prevent SSL certifcates from being applied.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now