Active Directory Certificate Services Cross-Forest Enrollment
AD CS: Troubleshooting Cross-forest Certificate Enrollment
Download 312 Kb.
|
AD CS: Troubleshooting Cross-forest Certificate EnrollmentCommon problems and resolutions related to using AD CS for cross-forest certificate enrollment are described. PKI object synchronization issuesIf the PKI objects are not the same in all forests, a number of problems can occur during certificate enrollment. For example, domain members may receive errors indicating certificate template version number inconsistencies. You must ensure that the same set of PKI objects and certificate templates exist in all forests and that the attribute values on each object are the same across forests. To compare the objects in two forests, use the command .\PKISync.ps1 -sourceforest To display an object’s attribute values, use the DumpADObj.ps1 script included in this guide. See AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment. To compare the attribute values of two objects in different forests, use DumpADObj.ps1 for each object. Use a program to compare the output files for the two objects. If WinDiff.exe is not included in the version of Windows you are using, see Windows XP Service Pack 2 Support Tools. To display the PKI objects in AD DS, use the command certutil –viewstore To view root CA certificates, use cerutil –viewstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC= To view enterprise CA certificates in the NTAuthCertificates container, use certutil viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC= To view enterprise CA certificates in the AIA container, use certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC= Download 312 Kb. Share with your friends:
|