Domain controllers and the Trusted Root Certification Authorities container

SamT 6 Reputation points
2020-12-23T21:12:07.52+00:00

Hello @Vicky Wang .
Hello Microsoft ,

We installed a new Windows 2019 domain/forest with three domain controllers a few days ago.

In the certificates mmc, when we look at the Trusted Root Certification Authorities container for the Local Computer, we get different results on all three DC's. The first DC has 37 certificates in the Trusted Root Certification Authorities container, the second DC has 20 certificates in this container and the third DC has 15 certificates in this container. This was noted immediately after all three domain controllers came up. Its a brand new domain, nothing has been done to it, no certificates installed or removed, no application servers, no users, nothing deployed, no GPO, nothing. Its untouched,

Why the discrepancy between the three DCs? Is there some logic to this? Replication between the DCs is normal and we have not removed/added any certs to the store.
I've noticed this discrepancy previously in other domains but I assumed it was due to some sort of maintenance. In this case its a brand new domain.

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,852 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SamT 6 Reputation points
    2020-12-24T03:54:19.88+00:00

    @Fan Fan

    Hello,

    Very simple: 3 Windows 2019 servers, all installed at the same time with the same media. Create new domain on one DC (first image). Then promote the other two servers to DCs in the new domain. All done in a couple of hours. Issue visible immediately. Nothing else was done, nothing installed, nothing removed, no GPOs, nothing
    No issue at this point, just trying to understand why in case there is a cert issue in the future, I've noticed this many times over the years in other domains, I just assumed in the past that some work was done that would cause the number of Trusted CA certs to vary between DCs but I don't think that's the case now. Please see attached screen shots
    50899-domain-controller-3.png

    50966-domain-controller-2.png50967-domain-controller-1.png

    0 comments
  2. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-12-25T02:16:56.177+00:00

    Hi,
    Based on my research, the Microsoft Trusted Root Certificate Program releases changes to our Root Store on a monthly cadence, except for December.
    Make sure all the DCs have the latest version.

    Following link for your reference:
    https://learn.microsoft.com/en-us/security/trusted-root/release-notes
    https://learn.microsoft.com/en-us/security/trusted-root/release-notes

    Best Regards,

  3. Cheong00 3,471 Reputation points
    2020-12-31T03:57:09.843+00:00

    Please refer to here to see the behavior I described before, plus how to use PowerShell script to show the certificates embedded in crypt32.dll.

    Any certificates not listed here are installed by Root Certificate Auto Update.

    0 comments