question

sime3000 avatar image
0 Votes"
sime3000 asked sime3000 commented

Domain controllers and the Trusted Root Certification Authorities container

Hello @VickyWang-MFST .
Hello Microsoft ,

We installed a new Windows 2019 domain/forest with three domain controllers a few days ago.

In the certificates mmc, when we look at the Trusted Root Certification Authorities container for the Local Computer, we get different results on all three DC's. The first DC has 37 certificates in the Trusted Root Certification Authorities container, the second DC has 20 certificates in this container and the third DC has 15 certificates in this container. This was noted immediately after all three domain controllers came up. Its a brand new domain, nothing has been done to it, no certificates installed or removed, no application servers, no users, nothing deployed, no GPO, nothing. Its untouched,

Why the discrepancy between the three DCs? Is there some logic to this? Replication between the DCs is normal and we have not removed/added any certs to the store.
I've noticed this discrepancy previously in other domains but I assumed it was due to some sort of maintenance. In this case its a brand new domain.


Thanks

windows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Before going further, please help to confirm the following information.

Did the situation mentioned above cause any issues in your environment? If so , please share a screenshot of the error messages.

For the certs number differences , would you please share a screenshot ?Or you can tell what certs are missing on the second DC and the Third DC?
Also, the local certs for the DCs( computers) won't replicate between DCs in domain. If any certs were added before domain joined , certs would not be removed either since the certs are for the local computers.

Best Regards,

0 Votes 0 ·
sime3000 avatar image
0 Votes"
sime3000 answered sime3000 edited

@FanFan-MSFT

Hello,

Very simple: 3 Windows 2019 servers, all installed at the same time with the same media. Create new domain on one DC (first image). Then promote the other two servers to DCs in the new domain. All done in a couple of hours. Issue visible immediately. Nothing else was done, nothing installed, nothing removed, no GPOs, nothing
No issue at this point, just trying to understand why in case there is a cert issue in the future, I've noticed this many times over the years in other domains, I just assumed in the past that some work was done that would cause the number of Trusted CA certs to vary between DCs but I don't think that's the case now. Please see attached screen shots
50899-domain-controller-3.png


50966-domain-controller-2.png50967-domain-controller-1.png



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered sime3000 commented

Hi,
Based on my research, the Microsoft Trusted Root Certificate Program releases changes to our Root Store on a monthly cadence, except for December.
Make sure all the DCs have the latest version.

Following link for your reference:
https://docs.microsoft.com/en-us/security/trusted-root/release-notes
https://docs.microsoft.com/en-us/security/trusted-root/release-notes

Best Regards,

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@FanFan-MSFT

Hello again,

Thanks for the link. You may be missing the question. I'll restate the symptoms:

  • The three Windows 2019 DCs were all installed within two hours of each other using the same media - around the 10th of December.

  • Created new domain on one DC

  • Then promoted the other two servers to DCs in the new domain.

  • Issue visible immediately. Large discrepancy between the three servers. Why ?

  • Nothing else was done, nothing installed, nothing removed, no GPOs, nothing.

  • Seems to be an issue with Windows DCs in general but this new installation makes it obvious.

The article has nothing to do with the question being asked, The article says the last MS updates to the CAs was two months ago and the current article does not project any date for the next one.

Please review the symptoms above. Why the discrepancy between the three servers? Did see the discrepancy illustrated in the screen shots you asked for ?

Thanks





0 Votes 0 ·

Hi,

Sorry for late reply.
Even with the the same media, there may be some different updates and options during the installation, to narrow down the question, would you please run winver and share a screenshot ?Or for the security reason , you can tell me the result.
I don't think it is related to the DC reasons (first DC or second).I have 2 DCs in different forests and both of them are the only DC with all the FSMO roles but different
Here is the screenshots for them :
2019 datacenter
![52385-12311.jpg][1]

2019 standard
![52403-12312.jpg][2]

Thanks for your patience and understanding!
[1]: /answers/storage/temp/52385-12311.jpg
[2]: /answers/storage/temp/52403-12312.jpg

0 Votes 0 ·
12311.jpg (98.6 KiB)
12312.jpg (203.7 KiB)

@FanFan-MSFT

Hello again FanFan,

The installed OS version from winver is "Version 1809 (OS Build 17763.1637)"

Not sure what you mean by "different updates and options". As stated earlier, the scenario could not be simpler:

  • The three Windows 2019 DCs were all installed within two hours of each other using the same media - around the 10th of December.


  • Created new domain on one DC


  • Then promoted the other two servers to DCs in the new domain.


  • Issue visible immediately. Large discrepancy between the three servers. Why ?


  • Nothing else was done, nothing installed, nothing removed, no GPOs, nothing ... Nothing.


  • Seems to be an (undocumented) issue with Windows Domain Controllers in general but this new installation makes it obvious.

I
Thanks again for your time



0 Votes 0 ·
Show more comments
cheong00 avatar image
0 Votes"
cheong00 answered cheong00 edited

Please refer to here to see the behavior I described before, plus how to use PowerShell script to show the certificates embedded in crypt32.dll.

Any certificates not listed here are installed by Root Certificate Auto Update.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.