diff --git a/ad-server-replication/tasks/main.yml b/ad-server-replication/tasks/main.yml
index 82a8c892c18407d31d89f986898521362d06a92c..d52f332b340e4bd0be44795b7c10aa2f06ea10fd 100644
--- a/ad-server-replication/tasks/main.yml
+++ b/ad-server-replication/tasks/main.yml
@@ -126,6 +126,19 @@
   tags:
     - ad-server
 
+- name: ensure that replication ssh private key exists
+  openssh_keypair:
+    path: /root/.ssh/id_replication
+    type: ed25519
+  delegate_to: "{{ ad_primary }}"
+  register: replication_keypair
+
+- name: ensure that replication ssh pubkey is in authorized_keys
+  authorized_key:
+    user: root
+    state: present
+    key: "{{ replication_keypair.public_key }}"
+
 - name: ensure we have a replication cronjob for sysvol
   template:
     src: replication-cron