Contents
Copyright Information 2
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 4
Technical requirements 4
Terms used in this guide 4
New AD CS deployments for cross-forest certificate enrollment 4
Consolidated AD CS deployments for cross-forest certificate enrollment 6
AD CS: Deploying Cross-forest Certificate Enrollment 8
Deploying AD CS for cross-forest certificate enrollment 9
Consolidating certificate templates from multiple forests 11
Copying account forest certificate templates into the resource forest 11
Consolidating certificate templates with similar purposes from multiple account forests 13
Consolidating version 2 and version 3 default certificate templates 15
Consolidating version 1 default certificate templates 16
Copying PKI objects to account forests 17
Support for CA Web Enrollment 18
Decommissioning CAs in account forests 18
AD CS: Managing Cross-forest Certificate Enrollment 18
Using a scheduled task 19
Monitoring AD CS events 19
Using automation 20
AD CS: Troubleshooting Cross-forest Certificate Enrollment 20
PKI object synchronization issues 20
Public key containers or default certificate templates deleted 21
Certutil connection errors when connecting to a CA 21
AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment 22
Saving PKISync.ps1 22
Subsection Heading 35
AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment 35
Saving DumpADObj.ps1 35
Online Version 41
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2
Guidance, procedures and scripts for configuring cross-forest certificate enrollment with Windows Server 2008 R2 in a multiforest environment.
Cross-forest enrollment enables enterprises to deploy a central PKI in one Active Directory Domain Services (AD DS) forest that issues certificates to domain members in other forests.
Enterprises with existing per-forest AD CS deployments can reduce the number of CAs by consolidating certificate templates from multiple forests into a single PKI that serves all forests.
Enterprises with multiforest environments and no PKI can deploy AD CS in one forest to provide enrollment services to all forests.
Share with your friends: |