Domain Controller Certificate Autoenrollment Not Working

Troubleshooting one of the most important and versatile parts of the windows pki world is a fairly complex process since it involves a plethora of prerequisites in order for it to work correctly.

Domain controller certificate autoenrollment not working. Any issued certs should appear in the log as event id 18 s or 19 s. In the application event log refresh the log to see what happens during autoenrollment. The following stores are located under the following ds path.

All users who log on to the machine inherit the trust and downloaded certificates that are downloaded and managed by autoenrollment. Active 3 years 3 months ago. Click public key policies.

I migrated a windows 2008 r2 dc and enterprise root ca to a new windows 2016 dc and ca. Two computer autoenrollment messages start stop should occur first followed by two user autoenrollment messages start stop in 30 sec. Certificates that were issued or autoenrolled from a previous forest will not be removed unless the machine is a domain controller.

In the console expand the following path. Non domain controllers are getting certificates for winrm and are working as expected and the domain controllers did self generate a few certificates too. Right click the certificate templates folder and choose manage.

Double click default domain policy. Computer configuration policies windows settings security settings and then public key policies. The properties dialog box opens.

Everything seemed stable except i had a few rodcs and writeable dcs that were showing failed requests in the ca for their auto. In the details pane double click certificate services client auto enrollment. Domain controller not auto enrolling kerberos certificate from new 2016 ca.