LDAPS, Certificate Authority, and Domain Controllers

Tom Gordon

5/22/24, 1:24 PM

I have a domain environment with 4 2012 Domain Controllers that I am working on replacing with 4 new 2022 domain controllers. I have some questions regarding how the CA works when issuing certificates to domain controllers for LDAPS authentication.

All 4 2022 domain controllers are now online and there are no issues with replication, however LDAPS doesn't work on 3 of the 4. I determined that the CA is installed on one of the domain controllers that we are replacing, and in it I can see that Domain Controller certificates were only issued to 1 of the 4 new domain controllers (hence why it isn't working on 3). What controls issuing these certificates to domain controllers? Why didn't the other 3 servers get a domain controller certificate?

Since the CA is installed on one of the servers that we are replacing it is going to need to be migrated. I have located this guide however I'm wondering if there is a better way to do it. This guide appears to have you backup the CA, then remove the CA role, then add it to the destination server and restore the database. Will this take out LDAPS while this is being performed? If there is a better way to migrate the CA to one of the new domain controllers please let me know.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486805(v=ws.11)

107

0 + 6

certificate

domain

migration

domain-controller

certificate-authority

Greg Askew

5/22/24, 2:27 PM

This is too broad to walk you through the entire process. However, there is a template for server authentication. The template can be copied and domain controllers can be configured to have permission to request enrollment. That's the the automation part. You can also manually issue certificates based on an .inf file and using certreq. It only requires a few minutes. Note that a server auth certificate may be different from other types of authentication and there is a specific auth type that isn't required for LDAPS. There's also the matter of using an alias. DNS domain name

Greg Askew

5/22/24, 2:27 PM

Detailed and helpful guides are available here: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx and here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

Tom Gordon

5/22/24, 3:29 PM

Can somebody tell me why one of the new domain controllers automatically received a certificate on the day it was promoted and the other 3 did not? If all domain controllers received a cert I would just follow the guide for migrating the CA, but I want to make sure everything is working properly and if one server received a cert and the others didnt then I would say that something isn't setup correctly.

Greg Askew

5/22/24, 3:39 PM

Check the permissions for the template. Should be information in the Application/CAPI2 event logs.

Tom Gordon

5/22/24, 6:57 PM

I couldn't even find a GPO that enabled auto-enroll, so I created one. All of the sudden a bunch of certificates were issued including one somebody created for LDAPS to all domain controllers. The certificate template Domain Controller is still only applied to the old domain controllers and 1 of the new domain controllers. Is this template supposed to be applied to all domain controllers? WIll there be any problems if the new DC's are missing this cert? Should I just manually request it? Sorry but I can't find any information about this online.

Tom Gordon

5/23/24, 1:07 PM

There was no Domain Controller cert showing for 3 of the 4 new domain controllers because there were two enterprise CA's installed (1 that I didn't know about). The 3 that were not issued Domain Controller certs from the CA I knew about were issued Domain Controller certs from the other CA. I will post a new question about how to clean this up now that I know what happened.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: LDAPS, Certificate Authority, and Domain Controllers

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.