I've recently setup AD Certificate Services and it seems to be working okay although I can't say I'm familiar with every aspect of this.
I can setup auto-enrollment and this works but I think I should have multiple templates, one for servers and one for clients. I can't say I know why I should use different templates but it seems reasonable enough.
The problem I have is that, if I have multiple auto-enrollment templates, clients will enroll in both. The only way to avoid this would be to create security groups and place clients in one group and server in another, but this then seems to defeat the purpose of auto-enrollment because I have to manually add the machine accounts to an appropriate group.
It would make more sense to me to be able to apply a filter based on organisational unit, or alternatively have two separate policies and define the template to be used. I believe I can automate group membership based on organisational unit with a powershell script but it seems a bit unnecessary.
Am I missing something here?
