Certificate Templates, Add-CATemplate problems

Here’s a script I mangled from Technet
https://social.technet.microsoft.com/Forums/windowsserver/en-US/347acc93-8352-4535-ab1a-23ebd49eea22/duplicate-certificate-template-edit-and-publish-it?forum=winserverpowershell

I’m having trouble on the last part where I call ‘Add-CATemplate’ If I run the script as is, the template get’s created, but will not publish. I have to got to the templates MMC and refresh for the add-template command to work.

Add-CATemplate : The "deploy-WebServer" template does not exist in the domain.
At I:\scripts\WebServer-Template.ps1:79 char:1
+ Add-CATemplate -Name 'deploy-WebServer' -force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (deploy-WebServer:String) [Add-CATemplate], InvalidTemplateException
    + FullyQualifiedErrorId : InvalidTemplate,Microsoft.CertificateServices.Administration.Commands.CA.AddCATemplateCommand

Is there a way to refresh the list powershell-magically?

$ConfigContext = ([ADSI]"LDAP://RootDSE").ConfigurationNamingContext 
$ADSI = [ADSI]"LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext" 

$NewTempl = $ADSI.Create("pKICertificateTemplate", "CN=deploy-WebServer") 
$NewTempl.put("distinguishedName","CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") 
# and put other atributes that you need 

$NewTempl.put("flags","131649")
$NewTempl.put("displayName","deploy-WebServer")
$NewTempl.put("revision","100")
$NewTempl.put("pKIDefaultKeySpec","1")
$NewTempl.SetInfo()

$NewTempl.put("pKIMaxIssuingDepth","0")
$NewTempl.put("pKICriticalExtensions","2.5.29.15")
$NewTempl.put("pKIExtendedKeyUsage","1.3.6.1.5.5.7.3.1")
$NewTempl.put("pKIDefaultCSPs","1,Microsoft RSA SChannel Cryptographic Provider")
$NewTempl.put("msPKI-RA-Signature","0")
$NewTempl.put("msPKI-Enrollment-Flag","8")
$NewTempl.put("msPKI-Private-Key-Flag","16842768")
$NewTempl.put("msPKI-Certificate-Name-Flag","1")
$NewTempl.put("msPKI-Minimal-Key-Size","2048")
$NewTempl.put("msPKI-Template-Schema-Version","2")
$NewTempl.put("msPKI-Template-Minor-Revision","2")
$NewTempl.put("msPKI-Cert-Template-OID","1.3.6.1.4.1.311.21.8.7183632.6046387.16009101.13536898.4471759.164.5869043.12046343")
$NewTempl.put("msPKI-Certificate-Application-Policy","1.3.6.1.5.5.7.3.1")

$NewTempl.SetInfo()

$WATempl = $ADSI.psbase.children | where {$_.displayName -match "Subordinate Certification Authority"}

#before
$NewTempl.pKIExpirationPeriod = $WATempl.pKIExpirationPeriod
$NewTempl.pKIOverlapPeriod = $WATempl.pKIOverlapPeriod
$NewTempl.SetInfo()

$WATempl2 = $ADSI.psbase.children | where {$_.displayName -match "Web Server"}


$NewTempl.pKIKeyUsage = $WATempl2.pKIKeyUsage
$NewTempl.SetInfo()
$NewTempl | select *

$acl = $NewTempl.psbase.ObjectSecurity
$acl | select -ExpandProperty Access

#Set new
$AdObj = New-Object System.Security.Principal.NTAccount("Authenticated Users")
$identity = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
$adRights = "ReadProperty, ExtendedRight, GenericExecute"
$type = "Allow"

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type)
$NewTempl.psbase.ObjectSecurity.SetAccessRule($ACE)
$NewTempl.psbase.commitchanges()

$AdObj = New-Object System.Security.Principal.NTAccount("deploy\Administrator")
$identity = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
$adRights = "GenericAll"
$type = "Allow"

$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity,$adRights,$type)
$NewTempl.psbase.ObjectSecurity.SetAccessRule($ACE)
$NewTempl.psbase.commitchanges()

sleep 5


Stop-Service CertSvc

sleep 5

Start-Service CertSvc

sleep 5

Get-CATemplate

Add-CATemplate -Name 'deploy-WebServer' -force 

Got it. I just had to wait. Credit goes here:

http://www.thomasmaurer.ch/2010/07/powershell-simple-retry-logic/

I added this to my script:

$templates = $adsi | select -ExpandProperty Children 

$templates.distinguishedName


if ([bool]($templates.distinguishedName -match "CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") -eq 'True'){

Add-CATemplate -Name 'deploy-WebServer' -force
}



$Stoploop = $false
[int]$Retrycount = "0"
 
do {
	try {
		if ([bool]($templates.distinguishedName -match "CN=deploy-WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigContext") -eq 'True'){
            Add-CATemplate -Name 'deploy-WebServer' -force
            }

		Write-Host "Template Publish Successfully-"
		$Stoploop = $true
		}
	catch {
		if ($Retrycount -gt 30){
			Write-Host "Could not Publish Template after 3 retrys."
			$Stoploop = $true
		}
		else {
			Write-Host "Could not Publish Template, retrying in 30 seconds..."
			Start-Sleep -Seconds 30
			$Retrycount = $Retrycount + 1
		}
	}
}
While ($Stoploop -eq $false)