Domain Controller Authentication certificate removal

Bojan Zivkovic 526 Reputation points
2025-02-03T18:33:51.82+00:00

Hi, I just want to confirm is Domain Controller Authentication certificate auto enrolled to all domain controllers obsolete and completely replaced with Kerberos Authentication certificate? If so, can this certificate template be stopped from auto enrollment/renew first and eventually completely removed.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,856 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. S.Sengupta 22,001 Reputation points MVP
    2025-02-04T01:01:20+00:00

    As of Windows Server 2022 and recent updates to Windows Server 2019, the Domain Controller Authentication certificate has been replaced by the Kerberos Authentication certificate.

    You can stop the auto-enrollment of this certificate by modifying the certificate template properties and disabling auto-enrollment.

    0 comments No comments

  2. Daisy Zhou 28,821 Reputation points Microsoft Vendor
    2025-02-04T10:01:25.9+00:00

    Hello Bojan Zivkovic,

    Thank you for posting in Q&A forum.

    There has been some evolution in the certificate templates that domain controllers use over the years. In modern (post–Windows Server 2012) Active Directory environments, Microsoft introduced the Kerberos Authentication certificate template to support certificate‐based Kerberos authentication. For many organizations running fully updated environments, the Kerberos Authentication certificate is now the preferred option, and the older Domain Controller Authentication certificate template is increasingly seen as a legacy mechanism.

    That said, before “removing” or disabling the autoenrollment of the Domain Controller Authentication certificate template, there are some important points to consider:

    1. Environment and Dependency Check.  

    • Although many organizations have moved to certificate–based Kerberos with the newer template, some environments (especially those with legacy systems or mixed server OS versions) may still have dependencies on the Domain Controller Authentication certificate.  

    • It’s essential to review your environment (including services like LDAPS, smart card logon, or any custom solution that might reference the older template) to be 100% sure that no clients or services expect this certificate.

    1. Autoenrollment Control.  

    • Autoenrollment is driven by Group Policy and the certificate template’s security settings. If you are confident the Domain Controller Authentication certificate is no longer needed, you can stop it from auto enrolling. This is typically done either by:   

    Removing or altering the relevant autoenrollment Group Policy settings (or disabling autoenrollment rights in the template’s security configuration), or

    Adjusting the template’s configuration in your enterprise CA so that it no longer issues certificates automatically to domain controllers.

    1. Phased Removal Process.  

    • It is a best practice to first disable autoenrollment/renewal so that no new Domain Controller Authentication certificates are issued. Monitor the environment to ensure that no unexpected issues occur over the certificate’s lifetime.  

    • Once you are satisfied that no services are using these certificates (and after waiting for the existing ones to naturally expire or be retired), you can remove the template from the CA (or at least stop publishing it) so that it will not be available for future enrollment.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.