I have an LDAP application which needs to talk to Active Directory via LDAPS (LDAP over SSL). I installed Active Directory Certificate Services on a test Domain Controller (I know this is not best practice, but my customer has no spare Windows Server license for a standalone CA server).
From here I read and followed these instructions:
If you install the AD CS role and specify the Setup Type as Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL
The issued certificate was indeed loaded into the DC certificate store, and the LDAPS-aware applications is working.
My question is: will the certificate be renewed/re-enrolled automatically, or I need to manually taking care of it? What I need to check to be sure than automatic renew will work correctly?
With ADCS Enterprise CA, you can utilize certificate autoenrollment that can automatically request and renew certificates for users and computers. I wrote a new whitepaper on how it works in details: Certificate Autoenrollment in Windows Server 2016. There is a downloadable copy of the document.
In short, it is done as follows:
Last two items imply that you have to wait until GPO is applied to clients.
Update
In your particular question, you need only to configure autoenrollment GPO and publish
Kerberos Authenticationtemplate to CA if it is not yet added. This teamplte already have all required permissions.