on the local domain controller create a request :

;—————– request.inf —————–
[Version]
Signature=”$Windows NT$

[NewRequest]
Subject = “CN=<dc01.domain.local>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]
CertificateTemplate = “DomainControllerAuthentication”
SAN = “dns=DC01.domain.local”
;———————————————–

then execute the following coomand with admin rights :

certreq -new request.inf request.req

copy the request.req to the CA in the other domain/standalone CA

do the following :

open MMC,  certification authority, certificate templates

double klik on the Domain Controller Authentication template

change the lease to 10 years and edit the secuity to alow the authenicated user enroll rights, check the box for publishing in AD

then execute the following with admin rights

certreq -adminforcemachine -attrib “CertificateTemplate:DomainControllerAuthentication” request.req

export the root CA certificate including path and key

import the newly created certificate and the root CA in the certificate store of the domaincontroller

import the newly created certificate and the root CA in the certificate store of the client who is connecting to the domain controller bij LDAPS

cheers