AD CS: How to Obtain a List of Certificate Templates that are Superceding other Certificate Templates

Summary

In environments where there are many certificate templates in Active Directory, you may have the need to view which certificate templates are superseding others, and utilizing the Certificate Templates MMC console is not an efficient option. An example of when you might need this data would be if you are troubleshooting a certificate auto-enrollment issue, and you would like to quickly view all superseding settings in your Active Directory forest.

The following command will dump the superseding settings from Active Directory:

*ldifde -f con -d "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=your-forest-root-domain" -r "(msPKI-Supersede-Templates=*)" -p subtree -l distinguishedName,msPKI-Supersede-Templates

*Be sure you replace your-forest-root-domain with the correct syntax for your AD forest root domain. Example: If the forest root domain is corp.contoso.com, the syntax would be:

*DC=corp,DC=contoso,DC=com

*More Information

If you are unsure of the name of your AD forest root domain, run the following command:

*nltest /dsgetdc:your-domain-name

*Where your-domain-name is the name of the domain you are currently logged into.

Sample nltest output:

nltest /dsgetdc:corp
           DC: \CORP-DC02
      Address: \192.168.1.45
     Dom Guid: 98c2e585-25e8-11d3-a5ea-00805f9f21f5
     Dom Name: CORP
  Forest Name: corp.contoso.com
 Dc Site Name: NA-NC
Our Site Name: NA-NC
        Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully