First, complete the procedure to save PKISync.ps1 to a file, as described in AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment Next, complete the following procedure.
To copy PKI objects by using PKISync.ps1
1. Start Windows Powershell.
2. Type .\PKISync.ps1 -sourceforest -targetforest [-f] and press ENTER. When copying from the resource forest, is the DNS name of the resource forest and is the DNS name of an account forest.
Warning [-f] is an optional argument. When [-f] is used, objects in are deleted and replaced by objects with the same name from . When [-f] is not used, you are prompted to confirm before objects are deleted.
3. Repeat for each account forest.
The following table describes the support for using CA web enrollment with CAs in the resource forest that are configured for cross-forest certificate enrollment.
A goal of deploying cross-forest certificate enrollment is to reduce the number of CAs in an enterprise.
After certificate templates have been removed from a CA in an account forest, the CA can be decommissioned.
Complete the procedures described in section Removing a CA from Active Directory in CA Maintenance.
AD CS: Managing Cross-forest Certificate Enrollment
Because cross-forest certificate enrollment requires that PKI objects in all forests are the same, it is necessary to copy PKI objects from the resource forest to the account forests whenever PKI objects in the resource forest are changed.
You can perform this maintenance manually by completing the procedure described in Copying PKI objects to account forests.
However, because manual processes are prone to error and might not be completed regularly or when PKI objects changed, it is recommended to use an automated process based on the PKISync.ps1 script and examples provided in this guide.
Two examples of automation are described in this topic:
Using a scheduled task Monitoring AD CS events
