Inscrit le: 30 Mai 2018
Moyenne de points: 1,60
|Posté le: Jeu 7 Juin - 06:44 (2018) Sujet du message: Issues giving Domain Controllers group rights to enroll?
As a bit of background, all our systems are configured to auto-enroll certificates and we are using the built-in V1 certicates for our system, so specifically the Computer and Domain Controller certificate templates.I want to use the PKI management pack in SCOM to alert for expiring certificates. When I tried it in our lab I found a lot of false positives however, largely from our domain controllers and the Computer certificate being listed as expiring/expired. When I looked into it the issue became clear. When the server was first built, it was a member server and upon joining the domain, got a Computer certificate from our CA. After it was promoted to a domain controller it requested and received a Domain Controller certificate. The Computer certificate is only valid for a year so ~11.5 months after being promoted to a DC and the Computer certificate is about to expire the domain controller does not/cannot renew it because the template by default is restricted to the Domain Computers group. I'll be honest, I'm not positive this last step is what's happening, it's an assumption on my part that Windows doesn't have anything specifically built-in about the certificate template it's requesting and is merely requesting cert(s) from the Enterprise CA and enrolling for all certificates it has permissions to, and the Computer template is restricted with Enroll permissions to Domain Computers group and Domain Controller template is restricted with Enroll permissions to Domain Controllers group and that's why the Computer certificate doesn't renew. If someone knows otherwise, I'd love to know specifically what it's doing. Regardless, I can't find a way to override the PKI management pack rules for a specific certificate template and it brings a lot to the table, namely certificate expiration notices, so I don't want to just scrap the idea of using it so I got to thinking, why not adjust the permissions so Domain Controllers can enroll for the Computer certificate, thus allowing it to renew the Computer certificate and stop SCOM from freaking out. I'm assuming this shouldn't be an issue since a DC has both certificates for the first year it's a domain controller, and then both (with the Computer certificate expired) after that first year and it keeps on ticking without issue, but figured I'd throw it out to the crowd here for any thoughts about this.
I didn't find the right solution from the internet.
Creative video production company