I believe, these numbers are costs to particular AD site. First number is in hex format and decimal equivalent in parenthesis.
Hi, Vadims.
What about autoenrollment for non domain joined machine? Definetelly i should use CEP and CES, but what authentication to use? Certificate authentication, i assume. Otherwise it wouldn't be possible for computer account to automatically renew it's certificate?
Hi, Vadims.
Do you know how to interpret output of certutil -ping command? What does it mean: -> a (10) or -> 32 (50). Where i can read about it?
What is the prefered site (site awareness enabled) for requesting cert from Site5?
DsGetSiteName: PC -> Site5
DsGetSiteName[0]: EntSubca1 -> 0: site1 (2969ms)
DsGetSiteName[1]: subca02 -> 1: site2 (5406ms)
DsGetSiteName[2]: subca03 -> 0: site1 (2781ms)
DsGetSiteName[3]: subca04 -> 2: site3 (3672ms)
DsGetSiteName[4]: subca05 -> 0: site1 (2187ms)
DsGetSiteName[5]: subca06 -> 3: site4 (1594ms)
DsQuerySitesByCost: Site5
DsQuerySitesByCost[0]: site1: a (10)
DsQuerySitesByCost[1]: site2: 32 (50)
DsQuerySitesByCost[2]: site3: 32 (50)
DsQuerySitesByCost[3]: site4: 14 (20)
DsQuerySiteCosts[0.0]: EntSubca1(site1) -> a (10)
DsQuerySiteCosts[1.1]: subca02(site2) -> 32 (50)
DsQuerySiteCosts[2.0]: subca03(site1) -> a (10)
DsQuerySiteCosts[3.2]: subca04(site3) -> 32 (50)
DsQuerySiteCosts[4.0]: subca05(site1) -> a (10)
DsQuerySiteCosts[5.3]: subca06(site4) -> 14 (20)
CertUtil: -ping command completed successfully.
Thanks alot Vadmins Podans. Just to make sure, will that overrite the current machine certificate with new CA or will add one more machine certificate along wiht the old one.
Do i need to make any changes on AD for that CA’s pKIEnrollmentService object after removing the templates in old CA from certificate tempalte mmc?
> What about autoenrollment for non domain joined machine?
Check this article from AskDS: Enabling CEP and CES for enrolling non-domain joined computers for certificates