none
One CA and Multiple Sites RRS feed

  • Question

  • Hello,

    We have 1 Offline Root CA and an our Enterprise CA that is serving multiple sites. I was wondering if its possible to configure it to query different domain controllers when creating user certificates?

    The scenario we are seeing is..

    Site A - Contains CA Server

    Site B - Does not

    when a new user gets created in Site B (pointing to the site b dc) and then does a login on a workstation in site b the certificate is not created because the object is not found. I've noticed the certificate will work once the object exists in Site A.

    Does the CA only query its local DCs? or is there a way to expand that? or do we need to add an additional CA?

    Friday, February 17, 2017 3:55 PM

All replies

  • Are Site A and Site B in different forests? The Enterprise CA is deployed to the entire forest and thereby all the domains in that forest. If Site B is in a separate forest, then you may need to configure Cross Forest certification and trusts. How to go about it depends on what you want to accomplish.

    See this article and others like it:

    https://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx

    -bill

    Friday, February 17, 2017 4:18 PM
  • Yes Site A and B are in the same forest. Site A and Site B have different domain controllers would this make a difference?

    Friday, February 17, 2017 4:20 PM
  • Seems like your AD DS replication is delayed. You might want to test your replication latency - there are scripts for that: https://gallery.technet.microsoft.com/Testing-Active-Directory-94e61e3e

    If you have pretty reliable network connection between those sites, you may try to enable intersite change notification as described here: https://blogs.msdn.microsoft.com/canberrapfe/2012/03/25/active-directory-replication-change-notification-you/


    https://exchange12rocks.org | https://about.me/exchange12rocks

    Sunday, February 19, 2017 2:24 AM
  • Hi,

    >>Does the CA only query its local DCs? or is there a way to expand that? or do we need to add an additional CA?

    You need to publish the Root CA and Enterprise Sub CA to site B.Let the client in site B know where is Root and Sub CA.Such as:

    certutil -dspublish -f <root-ca-cert-filename.cer> RootCA

    certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA

    And please make sure you Enable LDAP referral support on enterprise CAs.

    certutil - setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS

    Add enterprise CA computer accounts to Cert Publishers group in site B.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 20, 2017 4:03 AM
    Moderator
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, February 22, 2017 9:00 AM
    Moderator