Certificate Services Templates Supersedence

Bradley Fox
Bradley Fox used Ask the Experts™
I'm planning on replacing my "Domain Controller Authentication" template with "Kerberos Authentication" for domain controllers.  The ADCs are currently configured for auto-enrollment.  I've put "Domain Controller Authentication" template in the Supersedence tab on the "Kerberos Authentication" certificate template, configured that domain controllers will auto-enroll and published the new template.

My question is do I leave the old "Domain Controller Authentication" template published or should I remove it from Certificate Templates?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Then all you need to do is ensure that new Kerberos authentication cert is installed and then disable domain controller authentication template
Also you can revoke existing domain controller certs from certificate authority issued cert console

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial