This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 50%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hi, everyone! I have a problem with computer certificate autoenrollment and I've done a lot of search and troubleshooting and seems I'm stuck.
I'm in an AD environment with internal PKI infrastructure, root ca is offline and there are two intermediate CAs (one old, one new) issuing certificate for my domain clients.
I'm using CA template to automatically push certificate to clients which is working well, but I did one change to one of my cert template and i need all clients to re-enroll certificate, I had discovered there is an option to Reenroll all Certificate Holders using the template - so I tried this in the lab and everything works like a charm. The template number has incremented and clients were re-enrolling certificates on the next GPO cycle.
So i've moved to the production, did the same, and nothing, no errors in event log, just some warnings but didn't look interesting.
From Wireshark traffic capture I could see there are no request from client to CA, just talking with DCs and end the communication after. The curious thing is that in capture i can see that the certificate template number is incremented in the traffic from DC than is the certificate template number on my client but there are no attempts to enroll new one...
Can anyone please advise?
Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Blitz ,
Thank you for your update.
If AD replication is working fine and the certificate template we mentioned is on all DCs. It seems it does not matter with AD replication.
We can check:
1.What is the Schema Version of the certificate template we mentioned?
2.In my lab, I find if I click "Reenroll All Certificate Holders", the "Version" of certificate template (or "Major Version" of certificate template) will be changed, and after the client update GPO, the "Version" of certificate template on the corresponding certificates (or "Major Version" of certificate template) will be the same as on certificate template.
For example,
121.0 => Major Version Number=121, Minor Version Number=0
So we can check whether the "Version" of certificate template (or "Major Version" of certificate template) is changed after we click "Reenroll All Certificate Holders".
Whether the "Version" of certificate template (or "Major Version" of certificate template) on certificate template is changed.
3.If the version on certificate template is changed but on certificate is not changed, we can run gpupdate /force or certutil -pulse on client to see if it helps.
4.Refresh the certificate Store on client.
Best Regards,
Daisy Zhou
Hello @Blitz ,
Thank you for posting here.
I did a test in my ab and it works fine.
We can check the information below in your production environment:
If it does not work above, because certificate templates are stored on DCs not CA server, please check AD replication is working fine by running repadmin /showrepl and repadmin /replsum.
I mean if the machine we mentioned is pulled certificate template from one DC, but maybe the certificate template is not on this DC due to AD replication issue.
Hope the information above is helpful, if anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
Hello Daisy, thanks for your reply.
Sorry, but how to find out where they are stored? I see an entry for the template in adsi -> configuration -> Services -> PKI -> Certification templates.
Anyway, repadmin shows all good, we are all in single site domain so I'm not suspecting replications to be the problem. All DCs showing the same template (even version) so probably it's stored on DCs.
Hi there, wow I can't believe I did such a mistake!
In the lab, I clicked the button, and the major version incremented to 102, and the minor was 0.
But in the production, I had major template number 100 and minor was 2, I did some changes and minor incremented to 3, right after the change clicked to "Reenroll All Certificate Holders" - but it seems that I didn't really click because the template version stayed 100.3 and it confused me enough to change major with minor believing everything is good on CA a problem is somewhere on clients side. So major template number wasn't really incremented therefore clients weren't re-enrolling.
Now once I've gone through it again by your pictures and realized my mistake! Thanks, @Daisy Zhou so much for your help! Before asking there I was digging deeper into the certificate enrollment process looking for a potential problem and I've seen the template number numerous times during the process always believing its correct and never noticing my mistake.
Now once I really clicked to reenroll and the major template number has incremented it works smoothly.
Thanks again!
Hello @Blitz ,
Thank you for your update and accepting my reply as answer. I’m very glad that the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Have a nice day!
Best Regards,
Daisy Zhou