NTDS replication warning with Event ID 1093 — Template Best Practices

When configuring and managing Active Directory Certificate Services (ADCS) PKI, little things can have downstream impacts. Recently a client reached out regarding replication errors the team managing the domain controllers had forwarded.

Microsoft lists a solution to the issue but does not address the root cause: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-warning-event-id-1093

The root cause of the issue is a default template setting that is often overlooked in vendor guides or how to videos.

When creating a new certificate template by duplicating the User template the checkbox to “Publish certificate in Active Directory” is checked by default.

This setting results in the certificate being added to the userCertificate attribute in Active Directory. The attribute is the same for both user and computers when configured.

The setting isn’t a default setting on computer-based templates, but we still see the misconfiguration when assessing template configurations.

Are certificates needed in Active Directory?

There are use cases where the data is used, but they are rare. Secure email, smart card and some vendor applications are examples. The certificate in Active Directory is a way for users to exchange their public keys or provide the public portion to a private key on a smartcard. Today, it is almost never needed and results in replication issues and strain in Active Directory.

Final Thoughts

It isn’t uncommon for an ADCS PKI to have over 20 unique certificate templates. Managing the configuration and security settings can be a challenge, especially if multiple groups have access to make updates. Our monitoring solution PKI Spotlight^® will monitor templates for both configuration and security issues based on best practices. If clients don’t have a monitoring solution, we recommend reviewing all templates available on any ADCS certificate authority regularly. A quick tip to view all templates available on all certificate authorities is to use Certutil. Certutil – ADCA will show all templates on all certificate authorities.