none
Cross Forest Enrollment question

    질문

  • Hello i've a couple of question regarding Cross Forest Enrollment.

    I've setup a Enterprise Failover Cluster CA in Domain A.

    I want to deploy Certificates to Domain B which is a Multidomain. I copy the templates on Root-Domain-B_DC from Domain-A_CA.


    1.The DSConfigDN and DSDomainDN is configured for Domain A. Do i need to change this in the targetforest or even for each childdomain in Domain B? When i copy my Templates they will display of course name of Domain A. Could this be an issue?

    2. What would be the Best practise to deploy to all members in all domains. Do i create for example one User Certificate for all Domains or should i deploy for each Domain a own User Certificate? I would like to create one Template for all domains but i'm not sure if i missing something?



    • 편집됨 Kerm_IT 2013년 7월 18일 목요일 오후 7:40 2632
    2013년 7월 9일 화요일 오전 11:05

답변

모든 응답

  • Cross-forest Certificate Enrollment with Windows Server 2008 R2

    http://blogs.technet.com/b/pki/archive/2009/01/20/cross-forest-certificate-enrollment-with-windows-server-2008-r2-beta.aspx

    AD CS: Deploying Cross-forest Certificate Enrollment

    http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx

    In addition see

     http://social.technet.microsoft.com/Forums/windowsserver/en-US/1dcc0de9-0817-4d27-b956-e3b1bd925405/cross-forest-certificate-authority-cant-get-objects-into-enrollment-services-container

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    2013년 7월 16일 화요일 오후 2:21
  • Thanks, but i've read all these papers but couldn't find anything regarding Multidomain deployment. Maybe i missed it but it also says that this is a part that cannot be covered.

    My problem is that i cannot autoenroll certificates for user but i can with adminstrator & computers.

    I know that our domain user have restricted permissions (for example no local administrator). So my guess is that have to give permissions to users.But otherwise Certificates for Users are stored in the local profile so shouldn't need them.

    My other guess was that i have to set crossRef Obejct in domain

    http://support.microsoft.com/kb/817872

    I have enabled ldap referral for cross forest and i have seen one event regarding  ldap referral (have to look it up ) and this scenario described above is similar to my.

    I have set all the permissions for domain users on templates container.

    When i check with certuitl command i can see activated autoenroll for user

    I've Issued Template in CA

    Set all permissons on template for user and admin

    I can enroll and autoenroll with admin but not with user




    • 편집됨 Kerm_IT 2013년 7월 18일 목요일 오후 6:46 2134
    2013년 7월 18일 목요일 오후 6:36
  • How do you set the auto-enrollment for the users?

    >>>Manage Certificate Enrollment Policy by Using Group Policy ------->>>> http://technet.microsoft.com/en-us/library/dd851772.aspx

    >>>Put that cert in Trusted root certificate store via GPO.

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    • 답변으로 표시됨 Kerm_IT 2013년 7월 26일 금요일 오전 8:37
    2013년 7월 23일 화요일 오전 3:24
  • I've thought about GPO too. I created one Test GPO in my Root Domain and linked it to my sub domain. For testing i put user and computer in one.

    I tried to not put the root cert in my GPO because it also get published when i certutil -dspulish in my target root domain. I have checked cert store and it is in my store even on clients that i haven't touched yet.

    I have created one group and given this group permissions on my gpo and template. I have put my admin and my testuser in it. Admin gets his cert on this way with autoenroll but user not.

    So GPO should work , Computer are in this test GPO and receive their certificate.

    I've gone a step back and created a child domain in my test lab. Autenroll is working fine for user and administrator in this child domain. I haven't even set all the permissions in adsiedit for all containers. It works by default config.


    One thing i haven't mentioned is that we have kind of messed up AD Structure in the target forest.

    Our Root DC00 is 2008

    Root DC01 & 02 and rest of the child DC's are 2003

    Then we have one new Root DC03 which is 2012. This is something i cannot reconstruct in my test lab

    So my goal was to use server 2012 for CA.


    • 편집됨 Kerm_IT 2013년 7월 24일 수요일 오후 8:53 64546
    2013년 7월 23일 화요일 오후 2:37