Domain controllers and the Trusted Root Certification Authorities container

SamT 6 Reputation points
2020-12-19T04:04:02.27+00:00

Hello Microsoft,

We installed a new Windows 2019 domain/forest with three domain controllers a few days ago.

In the certificates mmc, when we look at the Trusted Root Certification Authorities container for the Local Computer, we get different results on al three DC's. The first DC has 37 certificates in the Trusted Root Certification Authorities container, the second DC has 20 certificates in this container and the third DC has 15 certificates in this container.

Why the discrepancy? Is there some logic to this? Replication between the DCs is normal and we have not removed/added any certs to the store.
I've noticed this discrepancy previously in other domains but I assumed it was due to some sort of maintenance. In this case its a brand new domain.

Replica

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Vicky Wang 2,731 Reputation points
    2020-12-22T09:33:38.767+00:00

    Hi,
    Thank you for posting in our forum
    the command how to use certutil to check all 5 physical store in trusted root certification authorities store:

    Registry, Third-Party, Group Policy, Enterprise and Smart Card.

    When we use the following command to check the stores we find 5 stores’ name in command line:

    certutil -v –enumstore shows the following:

    Root (this is the logical store that aggregates all of the following)

    Root: .Default (this is the registry store)

    Root: .AuthRoot

    Root: .GroupPolicy

    Root: .Enterprise

    Root: .SmartCard

    https://learn.microsoft.com/en-us/windows-hardware/drivers/install/trusted-publishers-certificate-store

    Hope this information can help you
    Best wishes
    Vicky


  2. Cheong00 3,476 Reputation points
    2020-12-23T04:24:55.133+00:00

    Before locking this thread, I'll try to add some input for the original question.

    I remember that from a previous "CNNIC incident" in order to save some size on installation media, plus save user the trouble of seeing major CA have expired cert immediately after installation if you try to install it many many years later, Windows do not ship with current cert of common CAs. Instead, it have preset list of CA names that, when the OS see it on any trust chain, it will immediately try to download and trust it. (Remember the CNNIC incident that caused Chrome and Firefox remove CNNIC from trusted CA? That caused me to check whether CNNIC is in my trusted CA store but I can't find it. And as soon as I visited any site that uses CNNIC is CA for their certs, it immediately show up)

    So if the domain controllers have applications signed with different CAs, or someone have visited websites on the domain controllers, the certs listed in certificate store will be different.

    Since cert store data is not synced between domains, maybe that can help explain the difference.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.