Share via

Certificates on DCs being updated too frequently impacting LDAP lookups from other service

Anonymous
2024-08-01T10:36:39+00:00

We've got an issue with one of our services (VPN) that uses LDAP lookups to DCs. That system has the thumbprints of the DC certificates on it that require updating whenever the certificates on the DC renew.

Certificates have a two year expiry on them, but are getting renewed much more frequently and therefore causing issues with service availability, especially if they renew on multiple DCs at the same time, in part because we are restricted on when we can push policies on the firewall for the VPN.

We've not been able to identify what might be causing the certificates to be renewed so frequently. They are certainly not within the grace period, which is a few weeks ahead of expiry.

Has anyone had any similar issues with certificates on Domain Controllers updating so frequently and been able to identify what was triggering it?

DCs and domain level are 2016.

Windows Server Identity and access Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-08-01T11:51:38+00:00

    Hello Tim Cooke UK,

    Thank you for posting in Microsoft Community forum.

    The issued certificate validity period depends upon least value of below.

    a)     The expiry date of issuing CA certificate

    b)    The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and    

            Enterprise CA. For Enterprise CA, the default registry setting is two years.

            For Stand-alone CA, the default registry setting is one year     

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration<CAName>\ValidityPeriodUnits

    c)    The template validity period in case of Enterprise (AD integrated) CA

    You can check the least value of three points above.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2024-08-02T15:28:56+00:00

    Hi Daisy,

    Yes all those in the red box are issued from the same template. Similarly all those below the box (Remote Desktop Authentication / Server Authentication) were issued by the same (separate) template.

    From our investigation so far it appears the RDA / SA certificates are the ones being used for the LDAPS connections.

    Thanks,

    Tim

    0 comments
  3. Anonymous
    2024-08-05T09:16:37+00:00

    Hello

    Good day!

    You can try to uncheck the aoenrollment permission on specific certificate template and check if it helps.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments
  4. Anonymous
    2024-08-01T13:18:34+00:00

    Hi Daisy,

    There's no issue with the expiry date on the certs, which is 2 years from issue. The problem is that something is causing new certs to be requested much sooner, sometimes within weeks of being updated. In some cases it appears the domain controllers themselves doing an auto renew, though they are also just requesting new certificates, as you can see below. This is happening on all domain controllers in different domains in the forest.

    Thanks,
    Tim

    0 comments
  5. Anonymous
    2024-08-01T13:59:16+00:00

    Hello

    Good day!

    Are the parts circled in red the same certificate template or different certificate templates?

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments