Active Directory Certificate Autoenrollment Step By Step

1. Domain Controller Autoenrollment Certificate

In Active Directory Certificate Services it is possible to configure certificates to autorenew prior to certificate expiration. This functionality (which is shipped with every Windows box) is called certificate autoenrollment.Here is the link that describes how to enable autoenrollment functionality (which is disabled by default):in your case, it is sufficient to use a certificate based on Kerberos Authentication certificate template (which is compatible with LDAPS) and enable autoenrollment GPO. Certificate template already contains Autoenroll permissions for Enterprise Domain Controllers global group. If GPO is configured properly, domain controllers will renew their LDAPS certificates after 80% of existing certificate's lifespan.and here is a link that describes what is autoenrollment and how it works in details (for reference).

Domain Controller Autoenrollment Certificate

Connect to the Sub CA server and open the Server Manager. Select Configure Active Directory Certificate Services as below. On the first screen, you can see that an Enterprise Admins account is needed to install an Enterprise Certification Authority. On Role Services screen, select Certification Authority and click on next. Step 2: Choose: Active Directory Certificate Services. And Choose: Certification Authority Web Enrollment. Choose: Certification Authority; Certification Authority Web Enrollment; Choose Install and Close. Step 3: To Configure Active Directory Certificate Services – Choose the Exclamation Mark on the Flag. This is one of the advantages of an Active Directory domain with an Enterprise CA; you can deploy certificates automatically using a process known as autoenrollment. This greatly reduces the amount of administrative overhead required to deploy certificates to your clients; and all you need for this is a GPO linked to your domain or an OU configured with the autoenroll policy.