To issue a certificate for Active Directory, a user account for the certificate must exist in your on-premises CA. You must create a user account to issue the initial Active Directory server certificate. You must recover (reset) the user account to renew the Web server certificate.

To manually create or recover (reset) a user account, you can use an administration application such as Entrust Authority Security Manager Administration or the User Management Service (Entrust Administration Services). When creating a new user account:

• It is recommended that you configure the user's name (using the directory naming attributes) to be the fully qualified domain name of the domain controller. For example, activedirectory.example.com.
• Select a 1-key-pair certificate type with a Dual Usage certificate definition that includes an Extended Key Usage extension with server authentication and client authentication, and a DomainController extension (OID 1.3.6.1.4.1.311.20.2). The certificate definition should also be assigned a certificate definition policy. For example, the Enterprise Domain Controller (ent_ad_dc) certificate type.
• For the Subject Alternative Name (SubjectAltName) extension, add a DNS Name component for each DNS name that may be used by Active Directory.

For information about creating or recovering user accounts, see the documentation for the client application.