![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 33%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Bojan Zivkovic,
Thank you for posting in Q&A forum.
There has been some evolution in the certificate templates that domain controllers use over the years. In modern (post–Windows Server 2012) Active Directory environments, Microsoft introduced the Kerberos Authentication certificate template to support certificate‐based Kerberos authentication. For many organizations running fully updated environments, the Kerberos Authentication certificate is now the preferred option, and the older Domain Controller Authentication certificate template is increasingly seen as a legacy mechanism.
That said, before “removing” or disabling the autoenrollment of the Domain Controller Authentication certificate template, there are some important points to consider:
- Environment and Dependency Check.
• Although many organizations have moved to certificate–based Kerberos with the newer template, some environments (especially those with legacy systems or mixed server OS versions) may still have dependencies on the Domain Controller Authentication certificate.
• It’s essential to review your environment (including services like LDAPS, smart card logon, or any custom solution that might reference the older template) to be 100% sure that no clients or services expect this certificate.
- Autoenrollment Control.
• Autoenrollment is driven by Group Policy and the certificate template’s security settings. If you are confident the Domain Controller Authentication certificate is no longer needed, you can stop it from auto enrolling. This is typically done either by:
Removing or altering the relevant autoenrollment Group Policy settings (or disabling autoenrollment rights in the template’s security configuration), or
Adjusting the template’s configuration in your enterprise CA so that it no longer issues certificates automatically to domain controllers.
- Phased Removal Process.
• It is a best practice to first disable autoenrollment/renewal so that no new Domain Controller Authentication certificates are issued. Monitor the environment to ensure that no unexpected issues occur over the certificate’s lifetime.
• Once you are satisfied that no services are using these certificates (and after waiting for the existing ones to naturally expire or be retired), you can remove the template from the CA (or at least stop publishing it) so that it will not be available for future enrollment.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)