2

I have a large number of separate Active Directory domains (~150) consisting of 2 server clusters that I need to setup for smart card login. To do this I will have to request ~300 domain controller certificates manually due to my environment. Needless to say that is a huge amount of manual effort and I am looking to script it.

To request a domain controller certificate you need three pieces of information: the certificate request, domain name and GUID. I can generate all of that information automatically but I cannot figure out how to change each domain controller's GUID to match the cert short of a direct ldap change. Does anyone know if that would work or would I break the domain?

chotchki
  • 149
  • 1
  • 11

1 Answers1

2

Nope, never ever do this. The GUID is AD's means of locating/identifying a domain controller for replication. It's important that it remain unchanged (and most importantly, unique to each DC).

Could you setup the machines to trust a central CA and have that issue the machine certs automatically?

Chris Thorpe
  • 9,953
  • 23
  • 33
  • Unfortunately none of these machines have any sort of network connectivity to each other and I have to use a specific third party CA. Oh well it was a thought that I could save myself some pain. Thanks though. – chotchki Mar 02 '10 at 01:01