ADCS – Active Directory Certificate Services
Active Directory Certificate Services (ADCS) is an Active Directory role that, once installed, provides a PKI from which any computer or user in the domain can request certificates.
When smart card logon is configured — even when an external PKI is imported — every domain controller performing authentication must have a "Domain Controller" certificate. Without this, smart card logon will not work even if the card and user certificate are correctly set up.
gpupdate alone will not refresh them. You must run gpupdate /force to update the root CA on clients.
By default, the Smart Card Logon certificate template is restricted to domain administrators. To allow regular users to enroll:
- Grant Enroll permission on the template to the appropriate users or groups
- Certificates can then be registered via GPO (auto-enrollment) or manually with
certmgr.msc
An administrator can register certificates on behalf of users (e.g., when preparing batch cards) by first obtaining an Enrollment Agent certificate. By default, this template is disabled and restricted to Domain/Enterprise Administrators.
Step 1 — Activate the template in the Certification Authority console
Right-click on Certificate Templates → New → Certificate Template to Issue.
Select Enrollment Agent and click OK.
Step 2 — Request the certificate
Once the template is active, request the Enrollment Agent certificate via certmgr.msc:
- Open the Certification Authority console
- Open the Issued Certificates folder
- Locate the certificate to revoke (by serial number or requester name)
- Right-click → All Tasks → Revoke Certificate
