Two-way forest trusts between a resource forest and account forests.
One or more enterprise CAs running on Windows Server 2008 R2.
Domain member computers in all forests running the following operating systems:
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Resource forest is an AD DS forest in a multiforest environment that is designated to host enterprise CAs running on Windows Server 2008 R2 to enable certificate enrollment for domain members in all forests. The resource forest is considered the master copy of PKI objects stored across all forests.
Account forest is an AD DS forest with domain members that enroll for certificates from an enterprise CA in the resource forest.
This section describes an example scenario for deploying AD CS for cross-forest enrollment in an enterprise that has little or no PKI.
Example scenario 1 Contoso, Ltd is a large enterprise with multiple AD DS forests, as illustrated in Fig 1. They have not deployed AD CS because of the increased costs associated with deploying and managing a complete AD CS deployment in each forest.
Fig 1. Example multiforest deployment without AD CS Because AD CS in Windows Server 2008 R2 supports cross-forest certificate enrollment, Contoso Ltd can deploy AD CS in one forest that enables certificate enrollment from domain members in all forests. Figure 2 illustrates a two-tier PKI in Forest A which allows domain members from all forests to enroll for certificates from the enterprise CA in Forest A.
Fig 2. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment
Consolidated AD CS deployments for cross-forest certificate enrollment
