Hello
Good day!
You can try to uncheck the aoenrollment permission on specific certificate template and check if it helps.
Best Regards,
Daisy Zhou
Certificates on DCs being updated too frequently impacting LDAP lookups from other service
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
We've got an issue with one of our services (VPN) that uses LDAP lookups to DCs. That system has the thumbprints of the DC certificates on it that require updating whenever the certificates on the DC renew.
Certificates have a two year expiry on them, but are getting renewed much more frequently and therefore causing issues with service availability, especially if they renew on multiple DCs at the same time, in part because we are restricted on when we can push policies on the firewall for the VPN.
We've not been able to identify what might be causing the certificates to be renewed so frequently. They are certainly not within the grace period, which is a few weeks ahead of expiry.
Has anyone had any similar issues with certificates on Domain Controllers updating so frequently and been able to identify what was triggering it?
DCs and domain level are 2016.
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
9 answers
Sort by: Most helpful
-
Anonymous
2024-08-05T09:16:37+00:00 -
Anonymous
2024-08-02T15:28:56+00:00 Hi Daisy,
Yes all those in the red box are issued from the same template. Similarly all those below the box (Remote Desktop Authentication / Server Authentication) were issued by the same (separate) template.
From our investigation so far it appears the RDA / SA certificates are the ones being used for the LDAPS connections.
Thanks,
Tim
-
Anonymous
2024-08-01T13:59:16+00:00 Hello
Good day!
Are the parts circled in red the same certificate template or different certificate templates?
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou -
Anonymous
2024-08-01T13:18:34+00:00 Hi Daisy,
There's no issue with the expiry date on the certs, which is 2 years from issue. The problem is that something is causing new certs to be requested much sooner, sometimes within weeks of being updated. In some cases it appears the domain controllers themselves doing an auto renew, though they are also just requesting new certificates, as you can see below. This is happening on all domain controllers in different domains in the forest.
Thanks,
Tim -
Anonymous
2024-08-01T11:51:38+00:00 Hello Tim Cooke UK,
Thank you for posting in Microsoft Community forum.
The issued certificate validity period depends upon least value of below.
a) The expiry date of issuing CA certificate
b) The validity period that is defined in the registry affects all certificates that are issued by Stand-alone and
Enterprise CA. For Enterprise CA, the default registry setting is two years.
For Stand-alone CA, the default registry setting is one year
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration<CAName>\ValidityPeriodUnits
c) The template validity period in case of Enterprise (AD integrated) CA
You can check the least value of three points above.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou