Azure Domain Controller Not Pulling Certs from Onprem ADCA

We have 4 onpre WInodws 2012 and 2016  ADDC's and 3 in Azure as well. We have all onprem DC's in onsite and Azure VM's in another. Replication and dcdiag information comes back clear of errors. One thing I have noticed on my Windows 2016 core DC's in Azure is they are not pulling the domain controller cert or any cert automatically like my onprem DC's.
LVL 21
compdigit44Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Have you verified that the VPN tunnel from Azure to your on-prem is completely unblocked? That's the most common problem I see.
0
MaheshArchitectCommented:
The azure domain controller should be able to talk to your onprem ca server on TCP 135 + all high RPC port range (49152 - 65535 or it might be 1024 - 65535), then only it can request domain controller cert from ca
Ensure that your azure dc can talk to ca with any-any ports bi-directionally and check
0
compdigit44Author Commented:
I confirmed with the networking team the connection between onprem and the cloud is not getting blocked
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

compdigit44Author Commented:
The error I am getting when I submit the CertReq on my CA is "The DNS name is unavailable and cannot be added to the Subject Alternate name". I have already tried to change the Cert Temaple to supply name in the cert request and it did not help. Also the DNS name on the is populated on the properties of the computer object in question
0
MaheshArchitectCommented:
0
MaheshArchitectCommented:
For domain controller cert, u don,t need to create request
It should work as long as u have ad integrated ca, domain controller authentication template, autoenrollment enabled and correct dcom permissions
0
compdigit44Author Commented:
I 100% agree with you this should be automatic but it is not happening. The I ran a GP result and it is pulling the policy to pull the cert automatically.
0
compdigit44Author Commented:
Does anyone have and further suggestions on this? I hav run PortQuery and all ports connecting to the internal CA are open i.e 135, 80, 443. What am I missing?
0
MaheshArchitectCommented:
If port is not an issue, you can try another thing
1st ensure that all domain controllers are part of domain controller native group in AD
enable auto enrollment in default domain policy
Copy domain controller authentication template and create new template (V2) and enable auto enrollment for this template and grant domain controllers group read, enroll and autoenroll permissions on this template and then publish this template
for copied template, Keep all template properties to same as original template
now force AD replication across all DCs and check if on next reboot your azure DCs are getting that cert or not.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
All ADDC are a member of the Domain Controller group and auto enrollment is already enabled
0
compdigit44Author Commented:
Does anyone have any additional thoughts on this?
0
MaheshArchitectCommented:
Have you created new dc template?
0
compdigit44Author Commented:
no
0
MaheshArchitectCommented:
Can you try execute steps in my 2nd last comment and check
0
compdigit44Author Commented:
I tried that, but have found something interesting. Even our member servers VM in Azure with A GUI interface are not pulling any onprem certs
0
MaheshArchitectCommented:
Which certificate member server is intrested in?
0
compdigit44Author Commented:
we have one server in azure that is running Windows 2016 GUI and is not running any specific roles but is connect to our onprem ad domain and is used for testing. That's it. I just do not under why the certs are not reaching cloud VM yet the firewall is open?
0
MaheshArchitectCommented:
check u can if request cert on azure VM through web console, if yes install it and see if it shows all issuer information correctly
0
compdigit44Author Commented:
I cannot access our test server right now that has a GUI since it is being worked on. how can I do this though the GUI.
0
MaheshArchitectCommented:
Open http://cahostname/certsrv and check if u r able to request and receive certificate
0
compdigit44Author Commented:
You can do that from server core ???
0
compdigit44Author Commented:
I ended up opening a case with Microsoft support but still not luck
0
compdigit44Author Commented:
Finally got the issue resolved.

1) Our DC's were not pull the GP to auto enroll certs
2) I was not able to manually request a cert since the workstation I was trying it from did not have read permissions to the Domain Controller template
0
MaheshArchitectCommented:
Glad to here that issue is resolved but unable to understand exact issue
If u could please clarity more
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.