Active Directory Certificate Services Cross-Forest Enrollment



Download 312 Kb.
Page4/15
Date04.02.2024
Size312 Kb.
#63423
1   2   3   4   5   6   7   8   9   ...   15
ADCS Cross Forest Enrollment
Example scenario 2 Contoso, Ltd is a global holding company that has implemented AD CS in a multiforest environment. Because of Contoso, Ltd’s corporate structure, it is necessary to deploy one forest per subsidiary company. With no support for cross-forest certificate enrollment, AD CS was deployed in each forest. A standalone root CA was deployed to be a central trusted root for the PKI and domain members in all forests. The enterprise CA certificates in each forest and all certificates issued to domain members in all forests have a certification path ending at the trusted root CA certificate.



Fig 3. Example multiforest enterprise with per-forest AD CS deployment

With the availability of Windows Server 2008 R2, it is possible to consolidate multiple per-forest AD CS deployments into a single AD CS deployment that enables certificate enrollment from domain members in all forests. By using fewer CAs, Contoso can lower total PKI management costs.





Fig 4. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment.

AD CS: Deploying Cross-forest Certificate Enrollment


This topic provides guidance and procedures for deploying CAs and configuring AD CS for cross-forest certificate enrollment in a multiforest environment.
To deploy AD CS for cross-forest certificate enrollment, complete the procedures in the following sections of this guide:
Deploying AD CS for cross-forest certificate enrollment describes procedures for deploying and configuring AD CS and PKI objects in AD DS. Procedures in this section are used for both deployment scenarios.
Consolidating certificate templates from multiple forests describes procedures for consolidating certificate templates from multiple per-forest AD CS deployments into a single PKI. Consolidation tasks are not required for new AD CS deployments.
Copying PKI objects to account forests describes procedures and scripts for copying PKI objects from AD in the resource forest to account forests. The procedures described for copying PKI objects to account forests are required for new AD CS deployments and consolidated deployments. After deployment, the procedures for copying PKI objects can be used to distribute certificate templates from the resource forest to the account forests, which is necessary to maintain consistency of PKI objects in all forests.

Download 312 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   15




The database is protected by copyright ©ininet.org 2024
send message

    Main page