Hi,
I have 4 2012 DCs, LDAP SSL is already enabled using a SHA1 certificate from an old Certificate Authority (CA) we have. The DCs currently have a "Domain Controller" certificate template.
Recently we deployed a new 20126 SHA256 AD CS CA. I want each DC to get a new SHA256 certificate from the new CA. I'm planning on making the "Kerberos Authentication" certificate available to the 2012 DCs and configuring the default domain controller's GPO so that the DCs automatically get the Kerberos template and renew the certificate as needed.
A couple of questions:
1. Are there any issues with having a "Domain Controller" and Kerberos certificate on a DC simultaneously?
2. Generally, should I need to configure GPOs to deploy DC certificates or is it just by AD automatically?
Thanks in advance
IT Support/Everything