Certificate Deployments and Active Directory Replication

Applies To: Windows Server 2008

Certificate deployments and Active Directory replication

Some authentication methods, such as PEAP and EAP when configured with certificate-based authentication types, can use certificates for authentication of computers and users. Latency in Active Directory® replication might temporarily affect the ability of a client or server to obtain a certificate from a certification authority (CA). If a computer configured to use certificates for authentication cannot enroll a certificate, authentication fails.

This latency in Active Directory replication can affect your network access authentication infrastructure because the certificates used for client and server authentication are issued by CAs to domain member computers. In the moments after you have joined a client or server computer to the domain, it is possible that the only Active Directory global catalog server that has a record of the client or server computer's domain membership is the domain controller that handled the join request.

After a computer is joined to the domain, you must reboot the computer. After the computer starts and you log on to the domain, Group Policy is applied. If you have previously configured the autoenrollment of client computer certificates or, for NPS servers, server certificates, this is the moment at which the new domain member computer requests a certificate from a CA.

Note

You can manually refresh Group Policy by logging on to the domain or by running the gpupdate command.

The CA, in turn, checks Active Directory Domain Services (AD DS) to determine whether it should issue a certificate to the client or server that has requested it. If the computer account has replicated across the domain, the CA can determine whether the client or server has the security permissions required to enroll a certificate. If the computer account has not replicated across the domain, however, the CA might not be able to verify that the client or server has the security permissions to enroll a certificate.

If this occurs, the CA does not enroll a certificate to the client or server computer.

• If a domain member client computer cannot enroll a client computer certificate, the client computer cannot be successfully authenticated by NPS servers when attempting to connect to the network through any network access servers that are configured as RADIUS clients in NPS where the required authentication method is either EAP-TLS or PEAP-TLS. For example, if you have deployed RADIUS clients that are 802.1X wireless access points and you are using PEAP-TLS as your authentication method, client computers that do not have a client computer certificate cannot be successfully authenticated and cannot use network resources through a wireless connection.

• If a domain member NPS server computer cannot enroll a server certificate, the NPS server cannot be successfully authenticated by client computers when they are attempting to connect to the network through any network access servers that are configured as RADIUS clients in NPS where the required authentication method is EAP-TLS, PEAP-TLS, or PEAP-MS-CHAP v2, and where clients are configured with the Validate server certificate setting enabled. These authentication methods provide mutual authentication and the NPS server must have a server certificate to be successfully authenticated by client computers. If the NPS server does not have a server certificate, all connection requests where these authentication methods are required fail because client computers are unable to authenticate the NPS server.

For this reason, when you deploy certificate-based authentication methods, it is recommended that you design Active Directory replication times and the deployment of subordinate CAs to reduce the possibility that slow replication might negatively impact your network access authentication infrastructure.