For a lab/teaching environment, we need to set up a Windows 2012R2 machine as a domain controller, with LDAPS enabled on 636. As we also need ADCS installed, we have just let ADCS auto generate the cert on the LDAPS service.
However, the cert expires in one year. Is there a mechanism where the cert auto renews somehow when a year is up?
I can't seem to find an answer to this.
Or should I manually set up a cert like this with a more distant expire time?
In Active Directory Certificate Services it is possible to configure certificates to autorenew prior to certificate expiration. This functionality (which is shipped with every Windows box) is called certificate autoenrollment.
Here is the link that describes how to enable autoenrollment functionality (which is disabled by default): https://technet.microsoft.com/en-us/library/cc770546.aspx
in your case, it is sufficient to use a certificate based on Kerberos Authentication certificate template (which is compatible with LDAPS) and enable autoenrollment GPO. Certificate template already contains Autoenroll permissions for Enterprise Domain Controllers global group. If GPO is configured properly, domain controllers will renew their LDAPS certificates after 80% of existing certificate's lifespan.
and here is a link that describes what is autoenrollment and how it works in details (for reference): https://technet.microsoft.com/en-us/library/cc778954(v=ws.10).aspx