Cross Forest Certificate Authority

certificate certificate-authority ad-certificate-services
11,366

Microsoft position is correct, but needs a clarification: generally you need to deploy a separate CA server for each *forest*. For example, you don't need to deploy a separate CA in the corp.domain1.com domain, for example.

Eventually, there are two supported solutions:

  1. like Microsoft said, you have to deploy a separate CA in the each acquired AD forest. In this case, each CA there is a separate authority and can issue certificates only to respective forest clients.

  2. by having Windows Server 2008 R2 (or newer) as a CA in the parent forest, you can establish a cross-forest certificate enrollment: AD CS: Deploying Cross-forest Certificate Enrollment. This requires a two-way trust between forests. This will allow to use CA server that is located in the parent forest to deploy certificates to all trusted forest clients.

either option requires some administrative efforts. But if you are going to migrate acquired forests to parent forest, or manage them centrally, I would go with option 2. Otherwise, if each forest will have their dedicated IT personell, option 1 would be more suitable.

Also, I would like to recall that there are Enrollment Web Services, that simplify certificate enrollment process across forests. You even don't need to perform AD PKI object synchronization, because clients will use CEP/CES servers for enrollment purposes.

Share:
11,366

Related videos on Youtube

Matthew Dartez
Author by

Matthew Dartez

Software and Systems Engineer

Updated on September 18, 2022

Comments

  • Matthew Dartez
    Matthew Dartez almost 2 years

    Looking for help on material for setting up a multi tiered/cross-forest PKI Infrastructure. The only articles I can come across are just setting up the basic two tier systems on one domain.

    Basically we have a management domain (we buy companies every year it seems so we have this to help the consolidation process along). Lets call this domain1.com. We successfully setup a CA in domain1.com in two tier format (offline root with online enterprise subca).

    subca.domain1.com

    Right now I am not sure how to get the new domain coming in, domain2.com, so get certs from the domain1.com subca. Microsoft said that I need to create a subca for each different domain that tie back to domain1.com

    subca.domain2.com

    Does this sound right? How do I configure subca.domain2.com to publish certs into the domain2.com domain controllers when the root authority is in domain1? The end deliverable is to start doing LDAPS in domain2.com. Thanks to anyone who can point me in the right direction...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I get SBS2011 to issue certificates?
Domain Controller promotion and certificate autoenrollment
Cannot issue Computer cert to standalone computer from my ECA
Error enrolling "Kerberos Authentication" certificate in a sparse network
Microsoft CA certificate templates expires sooner than expected
Automatically create Subject Alternate Name (SAN) Certificates
What happens to code sign certificates when when root CA expires?
OpenSSL Verify Peer (Client) Certificate in C++
Generate CSR with 2 OU Names
Remove all certificate authorities from a Firefox profile