WhfB certificate template concern

Steve Cooke 1 Reputation point

Hi All
We are wanting to deploy WHfB using Key trust following the below Microsoft guide
We have most prerequisites in place as we already have a Hybrid model using AD connect for O365.
My Main concern is around replacing the Domain Controller Authentication (Kerberos) Certificate Template. Is there any potential for things to go wrong? Eg could AD break, or clients get disconnected from the domain etc? It seems to me that this template is central for client authentication, so in a worst case scenario I would think things could go very bad.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,521 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 29,526 Reputation points Microsoft Employee

    Superseded certificate templates may be an issue, but it's easily avoided if you have the right policies in place. If you don't have autoenrollment configured properly for users it can result in the deletion of certificates, based on the certificate templates being superseded by other certificate templates, from user's AD store.

    However, the troubleshooting steps for overcoming this issue (or better yet, configuring things properly so that this doesn't happen) are covered here.

    In addition to the deployment guide you linked, I would also recommend checking out this additional WHFB deployment guide. This discusses some of the important considerations when replacing the Domain Controller.

    Let me know if that's what you were looking for!

    0 comments No comments

  2. Steve Cooke 1 Reputation point

    Thanks for the info Marilee, we don't currently have AD certificate services on our domain, is there no way to do this using something in Azure AD rather than using AD CS?
    Is there any risk that installing AD CS now would cause any issues for our Domain, and the 2 way trusts we have set up with 2 other Domains?


    0 comments No comments