Review this entire guide and plan your deployment.
Test your deployment plan in a lab or other non-production environment.
Review this guide again with the test results and improve your plan before production deployment.
Complete the procedure to deploy and configure AD CS for both cross-forest scenarios: New AD CS deployments and Consolidated AD CS deployments.
To deploy and configure AD CS
1. Designate a resource forest. All other forests participating in cross-forest certificate enrollment are account forests. AD CS is deployed in the resource forest to provide certificate enrollment services to domain members in all account forests.
When consolidating AD CS deployments from multiple forests, you can designate an existing account forest as the resource forest. In many cases, the forest with the largest number of CAs is the best candidate for being designated a resource forest.
Alternatively, a resource forest can be used solely for management of account forests and hosting AD CS for cross-forest enrollment. Two-way trusts between the resource forest and each account forest are required but trust relationships between account forests are not required for cross-forest enrollment.
2. Create a two-way forest trust between the resource forest and account forests. See Create a two-way, forest trust for both sides of the trust.
Notes
If Selective Authentication is required for the forest trust, the following permissions are required:
Domain member computers and users in account forests must have Allow authenticate permissions to the enterprise CAs in the resource forest.
Enterprise CAs in the resource forest must have Allow authenticate permissions to the domain controllers in each account forest.
Administrators that run the scripts provided with this guide must have Allow authenticate permissions to the domain controllers in all forests. For example, if the scripts are run on a domain member computer in the resource forest, the administrator must have Allow authenticate permissions in each account forest.
3. Establish a root CA in the resource forest by deploying a new root CA or by designating an existing standalone or enterprise root CA.
4. Install or upgrade one or more enterprise CAs running on Windows Server 2008 R2 in the resource forest.
Notes
Depending on your environment, the degree to which you are using existing PKI resources, and your level of experience with AD CS, the following references might be helpful for planning a new AD CS deployment or migrating existing AD CS deployments to Windows Server 2008 R2.
AD CS Advanced Lab Scenario
Active Directory Certificate Services Migration Guide
5. Enable LDAP referral support on enterprise CAs. Start a command prompt, type certutil - setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER.
6. Add enterprise CA computer accounts to Cert Publishers group in each account forest. See example procedures at Add a member to a group. Restart the CA by using net stop certsvc && net start certsvc.
7. Configure authority information access and CRL distribution point locations. See Specify CA certificate access points in issued certificates. In addition to specifying the access point locations in certificate templates, you must ensure that the network locations specified in certificates are online and are accessible from domain members in all resource forests. The locations can be either LDAP or HTTP depending on your certificate template configuration. See Configuring Certificate Revocation.
8. Publish the root CA certificate from the resource forest to the account forests by using Certutil.exe at a command prompt to run the following commands:
a. certutil -config \ -ca.cert
If you run the command on the root CA you can omit the connection information, -config \.
b. certutil -dspublish -f RootCA
9. Publish enterprise CA certificates from the resource forest into the NTAuthCertificates and AIA containers in each account forest.
a. certutil -config \ -ca.cert
b. certutil -dspublish -f NTAuthCA
c. certutil -dspublish -f SubCA
Next, you must prepare certificate templates for the certificates required by domain member computers and users in all forests.
If you are performing a new AD CS deployment, the default certificate templates in the resource forest can be used or custom templates can be created to meet your requirements.
Review the list of Default certificate templates.
Creating custom certificate templates requires that you have the required information and technical understanding to configure all required certificate template properties. For more information,
To use the default certificate templates in the resource forest, skip the section on Consolidating certificate templates and continue at Copying PKI objects to account forests.
To customize the default certificate templates, see Creating Certificate Templates. Continue at Copying PKI objects to account forests after you are finished customizing the certificate templates in the resource forest.
If you are consolidating AD CS from multiple forests that have custom certificate templates which you must continue to use, then review the next section, Consolidating certificate templates from multiple forests, and complete the procedures that best meet your requirements.
Share with your friends: |
