Vadims Podāns
Vadims Podāns 17.07.2019 16:09 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

> What about autoenrollment for non domain joined machine?

Check this article from AskDS: Enabling CEP and CES for enrolling non-domain joined computers for certificates

Vadims Podāns
Vadims Podāns 17.07.2019 16:02 (GMT+3) Test, whether CA server is online and which interfaces are available

I believe, these numbers are costs to particular AD site. First number is in hex format and decimal equivalent in parenthesis.

cert
cert 15.07.2019 23:44 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

Hi, Vadims.

What about autoenrollment for non domain joined machine? Definetelly i should use CEP and CES, but what authentication to use? Certificate authentication, i assume. Otherwise it wouldn't be possible for computer account to automatically renew it's certificate?

cert
cert 15.07.2019 22:22 (GMT+3) Test, whether CA server is online and which interfaces are available

Hi, Vadims.

Do you know how to interpret output of certutil -ping command? What does it mean: -> a (10) or -> 32 (50). Where i can read about it?

What is the prefered site (site awareness enabled) for requesting cert from Site5?

DsGetSiteName: PC -> Site5
DsGetSiteName[0]: EntSubca1 -> 0: site1 (2969ms)
DsGetSiteName[1]: subca02 -> 1: site2 (5406ms)
DsGetSiteName[2]: subca03 -> 0: site1 (2781ms)
DsGetSiteName[3]: subca04 -> 2: site3 (3672ms)
DsGetSiteName[4]: subca05 -> 0: site1 (2187ms)
DsGetSiteName[5]: subca06 -> 3: site4 (1594ms)
DsQuerySitesByCost: Site5
DsQuerySitesByCost[0]: site1: a (10)
DsQuerySitesByCost[1]: site2: 32 (50)
DsQuerySitesByCost[2]: site3: 32 (50)
DsQuerySitesByCost[3]: site4: 14 (20)
DsQuerySiteCosts[0.0]: EntSubca1(site1) -> a (10)
DsQuerySiteCosts[1.1]: subca02(site2) -> 32 (50)
DsQuerySiteCosts[2.0]: subca03(site1) -> a (10)
DsQuerySiteCosts[3.2]: subca04(site3) -> 32 (50)
DsQuerySiteCosts[4.0]: subca05(site1) -> a (10)
DsQuerySiteCosts[5.3]: subca06(site4) -> 14 (20)
CertUtil: -ping command completed successfully.

 

Jags
Jags 12.07.2019 21:08 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 2)

Thanks alot  Vadmins Podans. Just to make sure, will that overrite the current machine certificate with new CA or will add one more machine certificate along wiht the old one. 

Do i need to make any changes on AD  for that CA’s pKIEnrollmentService object after removing the templates in old CA from certificate tempalte mmc?