I had a problem connecting with LDAPS to RODC which are located in DMZ area. Every time when I tried to connect to RODC I got “cannot open connection” message. All DCs had identical certificate which was copy of “Kerberos Authentication” template. To all DCs (except this one RODC) connection was establishend without any problems. Strange…??


Regarding Microsoft in 2008 R2 only (I suppose that also with W2012), the certificates are immediately updated and the LDAPS service will begin using that new cert.  Here are the catches from this section of logic (this logic is specific to Windows Server 2008 R2, logic prior to that OS is different but documented in the links above for other OSs) :

  1. OS will use the certs found in NTDS\Certificates before using what is found in Certificates (Local Computer) Personal.
  2. OS then selects the cert with the expiration date furthest in the future if there are multiple matching certs
    1. The idea here is that if you generate a newer cert and put it in that cert storage manager you would want to use that newest cert when selecting amongst the list

In my case I found self-signed certificate from NTDS store and that was the reason that new issued kerberos authentication certificate was not working correctly.