Consolidating version 1 default certificate templates

Consolidating version 1 default certificate templates

1. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all account forests. See the Security Tab section of Administering Certificate Templates. 2. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 3. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type CA -cn –f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. 4. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Template -cn –f. 5. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Oid –f. 6. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.

Copying PKI objects to account forests

Certificate enrollment objects in AD DS environments are stored in three containers which must be copied from the resource forest to account forests to maintain consistency across all forests that are participating in cross-forest certificate enrollment. A Windows Powershell script is provided for copying and managing the following PKI objects in AD.
 Enrollment services
 Certificate templates
 OID
In cross-forest enrollment deployments described in this guide, the resource forest is the master copy of PKI objects. The PKI objects described in this section must be the same in all forests.
To maintain consistency across all forests, copy PKI objects in the resource forest should to account forests frequently. Scripts and examples for automated copying are described in AD CS: Managing Cross-forest Certificate Enrollment.
You can use PKISync.ps1 during initial deployment and to keep resource and account forest PKI objects synchronized.
PKISync.ps1 copies objects in the source forest to the target forest. Objects in the source forest are not changed by script operations.
CA certificates are not copied by PKISync.ps1. When CA certificates are renewed, you must manually publish the CA certificates to account forests by using the commands described in Deploying AD CS for cross-forest certificate enrollment.

Download 312 Kb.

Share with your friends: