Deploy Certificates for DNS Client Authentication

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

Use the following procedures to configure and publish client certificates for IPsec authentication, and to enable certificate auto-enrollment on your DNS clients.


Client certificates used for IPsec authentication must contain the Client Authentication application policy. Depending on the certificate enrollment policies you are using, domain-joined computers might already have a certificate that meets these requirements.

You can deploy certificates to DNS clients through one of the following mechanisms:

  • OU or security group: Consider creating a separate OU or a security group that contains the computer accounts of DNS clients that will perform validation of queries for resource records contained in DNSSEC protected zones.

  • Local firewall configuration: Use this option if you have DNS clients that are not domain members or if you have a small number of DNS clients that you want to configure locally.

Use the following procedures to deploy DNS client certificates to a security group using auto-enrollment. The example security group used is DNSSEC clients. If you wish to deploy DNS client certificates manually or issue certificates to a different group of computers, modify the permission settings on the security tab in certificate template properties.

Membership in the Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

Configuring certificate templates

A certificate template must be created to provide authentication of DNS queries. This certificate template will be configured with the Client Authentication application policy.


To configure and publish a certificate template, the computer must be running Windows Server Enterprise Edition with the Active Directory Certificate Services (AD CS) role installed and configured as an Enterprise certification authority (CA).

To configure a certificate template

  1. On an enterprise CA, click Start, click Run, type certtmpl.msc, and then press ENTER.

  2. In the details pane, right-click Workstation Authentication, and then click Duplicate Template.

  3. Select Windows Server 2003 Enterprise, and then click OK.

  4. Under Template display name, type DNS Client, and then select the Publish certificate in Active Directory check box.

  5. Click the Security tab, click Add, type the name of the security group are using to deploy DNSSEC policy settings, for example DNSSEC Clients, and then click OK.

  6. Select the Allow permission for Enroll and Autoenroll for the DNSSEC Clients security group or other security group you will use to deploy DNS client policy settings.

  7. Click OK, and then close the certificate templates console.

Publishing certificate templates

Use the following procedure to allow the CA to issue the new certificate template.

To publish certificate templates

  1. Click Start, click Run, type certsrv.msc, and then press ENTER.

  2. In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

  3. Click DNS Client, and then click OK.

  4. In the console tree, click Certificate Templates, and in the details pane under Name, verify that DNS Client is displayed.

  5. Close the Certification Authority console.

Enabling certificate auto-enrollment

If you will use auto-enrollment to issue certificates for IPsec authentication, you must enable auto-enrollment in Group Policy. You do not need to perform this procedure to enroll certificates manually on your DNS clients.

To enable certificate auto-enrollment

  1. On a domain controller or a computer with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, double-click the name of the GPO you will use to manage DNS client policy, for example: DNSSEC Client Policy. The Group Policy Management Editor will open.


If you are using a different GPO to manage client settings for your DNSSEC deployment, then enable certificate auto-enrollment in this GPO instead.

  1. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

  2. In the details pane, double-click Certificate Services Client – Auto-Enrollment.

  3. In the Certificate Services Client – Auto-Enrollment Properties dialog box, next to Configuration Model select Enabled from the drop-down menu, select the check boxes next to Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates, and then click OK.

  4. Close the Group Policy Management Editor.

See Also


Checklist: Deploying DNSSEC and IPsec on the DNS client
Deploy IPsec Policy to Client Computers