Because default certificate templates have the same names in all forests, the simplest approach to consolidating version 2 and version 3 default certificate templates from multiple forests is to use the default certificate templates in the resource forest and stop issuing certificates based on the default templates in the account forests. Because certificates issued in the account forest remain valid until they expire, this method does not cause a spike in certificate enrollment and has low user impact. However, until existing certificates issued by the account forest expire, two valid certificates for the same purpose in a user’s profile might result in a user prompt for certificate selection which could cause increased help desk calls. Additionally, you must continue to publish CRLs and CA certificates for the account forest.
Alternatively, you can supersede existing certificates in account forests by creating new certificate templates in the resource forest and configuring them to supersede certificate templates in all account forests. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate within a short period of time. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate within a short period of time, however AD CS resources in account forests can be decommissioned immediately.
To consolidate version 2 and version 3 default certificate templates
-
1. Duplicate a version 2 or version 3 default certificate template, and customize if necessary. See Creating Certificate Templates.
2. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organization’s security policy. See the Security Tab section of Extensions Tab.
3. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all account forests. See the Security Tab section of Administering Certificate Templates.
4. (Optional) Supersede certificate templates from account forests by using the Certificate Templates snap-in to add all superseded certificate templates from account forests to the Superseded templates tab on the certificate template properties sheet. See Supersede Templates.
5. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority.
6. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type CA -cn –f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output.
Note
If you are superseding certificate templates from account forests, repeat steps 6 through 9 for each account forest you copied certificate templates from in step 1.
7. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Template -cn –f.
8. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Oid –f.
9. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.
|
Share with your friends: |
