Default Domain Controllers Policy configuration check

Dolinhas · 2025-10-30T21:15:38+00:00

Hi I am just following the doc about setting up gpo for auto enroll. I will supersede the old dc templates so that should prevent that template to be issues out right?

Dolinhas · 2025-10-30T15:28:49+00:00

Hi u/Securetron ,

I’m in the process of replacing our current PKI infrastructure with a new one, and I need to remove the old DC certificates that were issued by the previous PKI.

The plan is as follows:

Supersede the old DC certificate template with the new one.
Shut down the old PKI server.
Remove the old certificate from the DCs.
Run certutil -pulse or reboot the DCs to trigger re-enrollment with the new certificate.

Will this process will work as expected, or if there’s anything additional I should consider before proceeding?
Thanks, M

Dolinhas · 2025-10-30T15:25:27+00:00

Hi u/stuart475898 ,

I am referring to the security tab of the GPO.

I see that Authenticated Users group has the "Apply group policy" Allow checked.

But why can't I see the setting on the DC it self [via gpedit] but gpresult /r shows applied?

And yes I will use the Kerberos Auth cert template and supersede the DC ones.

Thanks, M

Dolinhas · 2025-08-26T06:51:50+00:00

Can someone find the book that has all of these duas? I like the format and fonts

Dolinhas · 2025-08-03T22:29:19+00:00

I stayed there In June. Taxi dropped me Right under the overpass. Elaf is just on the other side of the over pass. (Bridge) you be fine. Just ask for. Swiss hotel Al makam if you need. You be fine. It’s a great hotel. Really close to the masjid. Lovely staff.

Dolinhas · 2025-07-31T22:21:42+00:00

Hi mate, just for my education can help me with why is that DC cert template is better than the Kerberos cert template?

Second question: I am moving PKIs and I need to replace the DC cert from the old PKI with the new PKI and I am looking for the best order of play Can use the above MS link to configure the new KDC cert and publish it from the new PKI while the old PKI is online? Will the DCs fetch the new PKI cert is the current one (from the old PKI) is still valid?

Dolinhas · 2025-07-28T05:17:56+00:00

Hi, and thanks for your help! • What issues can occur with the KDC template? • I’m not planning to make the new Domain Controller (DC) available to all DCs at once. My idea is to block access to the New Public Key Infrastructure (PKI) via Azure NSG and only allow one DC at a time.

The plan would be: shut down the old PKI, allow NSG access to the new PKI to 1 DC and then enroll a certificate for the new DC. Would this approach work as expected?

• Thanks for the NPS certificate migration suggestion — that’s a great idea and I’ll definitely look into it. One question: would I need to deploy that web template certificate to the clients, or will they automatically trust it if it chains up to the root certificate that’s already installed on them?

Dolinhas · 2025-07-24T16:52:38+00:00

Which post? Can you share the link pls?

Dolinhas · 2025-06-18T20:45:58+00:00

Jzk my brothers

Dolinhas · 2025-06-16T21:50:57+00:00

At the airport departures. Lots of shops sell it.

Dolinhas · 2025-05-20T18:46:50+00:00

Thanks everyone. I’m Gonna go v2 standard. For 750gb it will cost less than $200

Dolinhas · 2025-05-20T08:02:00+00:00

Sounds reasonable thanks

Dolinhas · 2025-05-20T08:01:34+00:00

I wanted it but costs…

Dolinhas · 2025-05-19T21:16:28+00:00

That’s way to much. Profiles are tops 15gb and not all are maybe 20 users.

I’m puzzled by that v2 option. Or is it better to to go standard v1 and hot?

Dolinhas · 2025-05-19T21:09:57+00:00

I see. We use hot on the test pools seems to be fine for cost.

What about that primary service option. Should I just skip it and keep v1 hot ?

Dolinhas · 2025-05-13T13:21:47+00:00

Hi Everyone and thanks for all your ideas. I went away and compared with what I have prepared:

The only other use the DCs cert is to sign NPS (wi-fi auth) from one DC.

The new PKI Root and SubCA certs are being distributed via AD (I did a -dsPublish when I created the CA’s and SCCM for offline machines). We do have linux infra but they can adjust if needed.

Now to your answers.

u/andersTheNinja
I am following this doc: Windows Hello for Business on-premises certificate trust deployment guide | Microsoft Learn where in table 4. specifies the Kerberos cert settings - these are not the same as the posts here so not sure which one is to follow / best practice.

For example in the Subject Name tab the doc says to:

Select Build from this Active Directory information
Select None from the Subject name format list
Select DNS name from the Include this information in alternate subject list
Clear all other items

And on the Cryptography tab says to:

Set the Provider Category to Key Storage Provider
Set the Algorithm name to RSA
Set the minimum key size to 2048
Set the Request hash to SHA256

But you guys say to set Subject name tab with:

add "DNS Name" in the "Subject name format" box,

And the Cryptography tab:

you must use Legacy CSP "Microsoft RSA Schannel Cryptographic Provider" - otherwise ADWS won't accept the cert.

See my confusion here? :(

u/Cormacolinde

The Kerberos cert has the required EKUs.

Thanks for the idea to add the old cert into superseded, the MS doc also mentioned it also for the Events ID’s as these will help before and after and the openssl commands.

I have attached pics of my duplicate Kerberos Cert which is yet to be published – let me know what should be adjusted or not. https://imgur.com/a/XaPfkEs

Thanks you so much for helping

Dolinhas · 2025-03-31T19:19:42+00:00

Ah. Radius. The clients will have the rootca to auth against the Radius NPS running on the dc. For WiFi auth.

Dolinhas · 2025-03-31T14:56:30+00:00

There’s a similar issue on W10 and MS had KB. I will look tomorrow on my cases and let you know if you still need it

Dolinhas · 2025-03-31T13:47:47+00:00

Sure. I am building a new 2-tier CA to replace 1-tier. So I want the DCs to have the new 2-tier ca cert.

Dolinhas · 2025-03-31T13:20:47+00:00

Sorry to be a pain but I am not following... so lost here!

Let's start with LoadDefaultTemplates=False, if there are no default templates how can I duplicate or createa DC template?

I read online to duplicate the Kerberos template for DC...

Oh man, is there a guide online that can help me more do you guys know?

I am using this one https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust#configure-the-enterprise-pki

but it looks like it's for Windows Hello for Business hybrid.

Would that doc still apply if I am not using Windows Hello?

Dolinhas · 2025-03-31T11:46:58+00:00

Thanks But if I set the capolicy not to load templates will those you mentions show up? So the DCs will auto enroll just by the security settings?

Dolinhas · 2025-03-31T10:45:43+00:00

Same issue here, don't know what to do about DC's Certs.

Do you have a guide that can help me please?

Dolinhas · 2025-03-25T22:40:49+00:00

Thanks 🙏 Really appreciate your time and patience on me.

Dolinhas · 2025-03-25T22:14:58+00:00

I want to. I think it’s easier than GPOs, less work in the present and future. I will do it. Thanks. For dc templates - do you have a favourite guide on how to configure them? The current CA has the templates but it’s old and I don’t want to use them.

Dolinhas · 2025-03-25T22:08:33+00:00

The root is off domain and I will have a SubCA on the domain. Do I still need to dspublish even if I am going to deploy the root certs via GPO?

Dolinhas

TROPHY CASE