Microsoft
Microsoft
MicrosoftHey David Bargna
Yesh you are correct if you have multiple certificates that are valid for Server Authentication, and you need a specific certificate to used for ldaps communications then you would need to import the PFX file to the AD DS Service store. This issue with importing it to a service start is that it WILL NOT be automatically renewed ever. Your AD Management team would have to remember to get a new certificate on their own when the DC's AD DS certificate was about to expire.
This is why we really DO NOT recommend this as a solution if it can be helped, and to just use one certificate for the specific purpose you have. Sometimes that means only having a certificate with one EKU on it and have all the DNS names that are needed in the SAN extension of the issued certificate, then maybe have another certificate that is valid only for Remote Desktop Authentication (different OID than Server Authentication) as the RDS Service responsible for certificate management does not use / leverage autoenrollment code and will actually mess it up if both Auto enrollment and the service both try and manage the certificate. I have a blog coming out specifically about RDS certificates as we get tons of cases where it is an issue.
Hopefully it will be out in the next few weeks I think.