2.3.1 Domain Controller Replication Certificate
The Domain Controller Replication certificate is defined as an X.509 (as specified in [X509]) certificate with specific extensions and values, as described below.
A Domain Controller Replication certificate contains X.509v1 fields, as specified in section 2.3.
A Domain Controller Replication certificate also contains the following X.509v3 extensions identified in [RFC3280] section 4.2.1.
Authority Key Identifier
Subject Key Identifier
Authority Information Access
Key Usage (Digital Signature, Key Encipherment [a0])
Subject Alternative Name
The Certificate Subject Alternative Name section MUST contain the globally unique identifier (GUID), as defined in [MS-DTYP] section 2.3.4, of the DC object in the directory and the Domain Name System (DNS) name. For example:
Other Name: 1.3.6.1.4.1.311.25.1 (ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9)
<Internet host name of the domain controller>
CDP (CRL Distribution Point)
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
A Domain Controller Replication certificate also contains the following X.509v3 extensions specific to Microsoft.
Microsoft-defined X.509v3 extension for certificate template name.<8>