Hello All
Can someone please help me with the following question. This may be two questions (so if you think I have to post separately please let me know).
I was reading an MS article called "Active Directory Domain Controllers and Certificate auto-enrolment" which was very helpful but through up some questions too.
for example the article talks about a 'template' called 'Directory E-mail Replication' what is this? in other words we have all heard of MS Exchange for corporate email, but the name of this template seems to suggest 'Domain Controllers' send e-mails to reach other? (over and above their normal AD replication) or is this template used for sending AD replication data via SMTP rather than RPC (which is something I have never heard of). Can someone please explain the purpose of this template, thanks very much.
Also I want to understand the relationship (if any) between these Domain Controller PKI templates and Kerberos in general (can someone point me to a white paper of good blog article)
For example my understanding at the moment if Kerberos is basically a 'symmetric' key encryption system where by the KDC (Key Distribution Center) take care of administering all these symmetric key pairs, is this basic premise correct?
I understand (at a very basic level) to concept of Kerberos TGT and TST (ticket granting ticket and ticket service ticket) and the fact the client cannot read the contents of either of these (rather the KDC is the trust anchor and deals with all the encryption and description of the keys to provide/proof identity authentication, and the client simply presents these tickets)
Hopefully the above is correct (or on the right lines), what I do not understand is how this (Kerberos/KDC) relates to DC's and their 'Domain Controller' templates or how these Domain Controllers use the certificates generated from these templates for encryption (I presume to encrypt the AD sync traffic, but isn't this done via Kerberos).
Also AD CA is optional component therefore my logic suggests there should be no relation to these Domain Controller templates and Kerberos
As you can see I have some fundermental gaps in my knowleague and would really appreciate someone helping me out here
Thanks very much
AAnotherUser__
AAnotherUser__