RODCs Do Not Perform Domain Controller Certificate Enrollment

Applies To: Windows Server 2008

The Enterprise Read-Only Domain Controllers group is not included in the default groups that are defined in the Domain Controller certificate template. This prevents them from enrolling for a domain controller certificate and from being automatically enrolled.

A domain controller requires a Domain Controller certificate to authenticate a logon that uses a smart card. Because the RODCs cannot obtain the domain controller certificate by default, they cannot authenticate a smart card logon by default.


Smart card logons that are authenticated by an RODC fail. An error message appears that states that the operation is not supported.


To make it possible for an RODC to authenticate smart card logons, modify the following certificate templates:

  • On the Domain Controller certificate template, allow Enroll permissions for the ERODC group.

  • On the Domain Controller Authentication and Directory E-Mail Replication certificate templates, allow Enroll and Autoenroll permissions for the ERODC group. Allow Read permission for the Authenticated Users group.