Active Directory Certificate Services Cross-Forest Enrollment


Consolidating certificate templates with similar purposes from multiple account forests



Download 312 Kb.
Page7/15
Date04.02.2024
Size312 Kb.
#63423
1   2   3   4   5   6   7   8   9   10   ...   15
ADCS Cross Forest Enrollment

Consolidating certificate templates with similar purposes from multiple account forests


Instead of combining certificate templates from all account forests and managing redundant certificate templates (as described in the previous section), you can minimize the number of certificate templates in the resource forest by reviewing the certificate templates issued in each account forest based on cryptographic purpose and certificate template properties. Define a set of certificate templates for the resource forest that can replace all certificate templates in the account forests.
When consolidating certificate templates from multiple account forests into a single set of templates in the resource forest, two approaches are available.
1. Stop issuing certificates in account forests by removing all certificate templates from account forest CAs, and publish certificate templates in the resource forest for all certificate types required in the account forests. Because certificates issued in the account forest remain valid until they expire, this method does not cause a spike in certificate enrollment and has low user impact. However, until existing certificates issued by the account forest expire, two valid certificates for the same purpose are found in a user’s certificate store which might result in a user prompt for certificate selection and possibly increased help desk calls. Additionally, you must continue to publish CRLs and CA certificates for the account forest PKI.
2. Publish certificate templates in the resource forest which supersede certificate templates in account forests, and force immediate reenrollment. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate within a short period of time. However, AD CS resources in account forests can be decommissioned sooner.
The procedure To consolidate certificate templates can be used for both approaches. Steps for superseding are noted.
Complete the procedures from a domain member computer that has access to the resource and account forests. Log on using an account with permissions to update AD objects in resource and account forests. Members of Domain Admins and Enterprise Admins group have the required permissions.
The procedure must be completed for each certificate template type you want to issue from the resource forest.

To consolidate certificate templates




1. Copy certificate templates from account forests by using the command .\PKISync.ps1 -sourceforest -targetforest -type Template -cn .
2. Copy the OID container from account forests by using the command .\PKISync.ps1 -sourceforest -targetforest -type Oid –f.
3. If you are superseding certificate templates from account forests, repeat steps 1 and 2 for all certificate templates in account forests that are superseded by the new certificate template in the resource forest.
4. Duplicate a certificate template you copied from an account forest, and customize if necessary. See Creating Certificate Templates.
5. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organization’s security policy. See the Security Tab section of Extensions Tab.
6. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The access control list defined on the certificate template in the account forest is preserved during the copy operation, but you should verify permissions are correct and grant permissions to additional users in other account forests as needed. See the Security Tab section of Administering Certificate Templates.
7. (Optional) Supersede certificate templates from account forests by using the Certificate Templates snap-in to add all superseded certificate templates from account forests to the Superseded templates tab on the certificate template properties sheet. See Supersede Templates.
8. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority.
9. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type CA -cn –f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output.
Note
If you are superseding certificate templates from account forests, repeat steps 9 through 12 for each account forest you copied certificate templates from in step 1.
10. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Template -cn –f.
11. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Oid –f.
12. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.



Download 312 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10   ...   15



The database is protected by copyright ©ininet.org 2024
send message
    Main page
express written permission
microsoft group
entire risk