The simplest method for maintaining PKI objects for cross-forest ceriticate enrollment is to run the PKISync.ps1 script in a scheduled task.
For best results the task should run frequently. Because PKI objects are not changed frequently, copying them to account forests once daily should work well in most environments.
For information on using scheduled tasks, see
Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events that indicate a change to PKI objects.
You must configure auditing on CAs for some AD CS events to be recorded in the event log.
Complete the following procedure on each CA you want to monitor.
To enable AD CS event auditing
-
1. Start an MMC console and add the Group Policy Object Editor for the local computer.
2. In the tree view, click Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
3. In the details pane, double-click Audit object access.
4. Click Success, then click OK.
5. Start the Certification Authority snap-in.
6. In the tree view, right-click your CA and click Properties.
7. Click the Auditing tab.
8. Click Change CA configuration and Change CA security settings, then click OK.
9. Restart the CA service by using the command sc stop certsvc && sc start certsvc.
|
The following table lists events you can monitor.
Share with your friends: |
