IBCM across 5 Domains RRS feed

  • Question

  • Hey all.

    So we have a pretty unique scenario, but can't be that unique. This is our layout.

    SCCM Primary Standalone in Domain A.
    Site Server deployed and talking in the DMZ, with MP,DP and SUP.

    CA currently on SCCM server (Yes I know, it was supposed to be more of a test than anything). It is handing out certificates properly to Domain A computers. I've added the Domain A, (CA) to the trusted root authority of other domain (B,C,D,E). I've added Domain computers into the "Config Manager Auto enroll Certificate" and they automatically request and add certificates to all client computers. I deployed this via this article. And worked well after running the PKISync.ps1 script.

    I have lots of logs, mostly all relating to certificate not being valid for the ICBM.DOMAINA.com. There is an article here that states that there is a CA needed in each domain, which I thought I could get away with cross forest trust (I have been able to issue certs for all domain computers in all domains) but it seems like only the domain certs are valid for the IBCM point.

    Any first hand information would be appreciated!

    Thanks Guys

    Wednesday, July 17, 2013 4:31 AM


  • OK, So it does work.

    Things needed

    Get your CA working for you domain.

    Make sure 2 way trusts are working

    When adding domain\domain computers put in domain2\domain computers, domain3\domain computers, etc. In your Autoenroll client computers cert.

    Publish your certs, make sure it all works on you one domain.

    Use the PKIsync tool to publish that cert into new domains.

    Trust your CA from other domains (add to trusted root authority via GPO of all domain computers)

    Add the autoenroll GPO to client computers.

    Keep checking your CA and watch it issue valid certs to other domains.

    • Marked as answer by Glen020 Monday, July 22, 2013 12:46 AM
    Monday, July 22, 2013 12:46 AM