You need to have the Domain Controller Authentication certificate on all the domain controllers. To enroll for a new certificate follow the below steps.
- On the domain controller, open mmc.
- Click File, Click Add/Remove Snap-in.
- Select Certificates, click Add, then select Computer account.
- Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.
- Press Next.
- Select Domain Controller Authentication and press Enroll.
Note: If you do not see the Domain Controller Authentication on the Auto Enrollment in the Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give AutoEnroll permissions.
Note: If you have multiple domain controllers, Admin needs to ensure the DC doing cert validation for user should have domain controller auth certificate in personal store.