Windows server 2012 R2 - delay before certificates start working

Question

I have this weird unexplained delay before the certificates i put in my servers start actually working

it goes something like this:

I add the certificates snap-in to mmc to manage the computer account certificates

I then add some certificates to the trusted root certificates, and some to the intermediate certification authorities

The certificates i add to the trusted root certificates are of the entire organization, and the ones i add to the intermediate certification authorities are of the branch i belong to.

I publish the certificates to active directory using the cmd command "cerutil -f -dspublish RootCA" and "certutil -f -dspublish NTAuthCA"

I try to log in using my smartcard, and i get this error: "an untrusted certificate authority was detected while processing the smart card"

I wait a day, and then everything is suddenly working fine, i can log in, i don't get any errors, nothing.

I've searched everywhere for this weird delay, but i haven't managed to find anything concrete, anyone has any ideas?

Answer 1

Two possible explanations:

1) The delay is caused by replication between domain controllers (if you have more than one)

2) The delay is caused by policies not being applied in servers when you attempt verification. Machine policies are applied every 90 minutes by default in w2k8r2, don't know what the timer is in w2k12.

(1) and (2) may be combined. I always do "gpupdate /force" in servers I would log in to when verifying certificates, have you tried it?