none
Does certificate work in cross domain environment? RRS feed

  • Question

  • Hello Guys,

    I have two domain abc.local and xyz.local in the abc.local i have the AD Certificate Server installed and i am using the certificates on many services in the same domain.

    Can i use the certificates from the same certificate server for the servers and services in xyz.local?

    Regards,

    Maqsood


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Wednesday, April 18, 2012 7:46 AM

Answers

  • Hi,

    If I understand your question, you want to enable cross forest enrollment.

    To enable cross forest enrollment  follow the steps mentioned at:

    http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx

    Basically the entire procedure can be divided into four steps:

    1) Create a two way trust between the resource forest( forest where ADCS is deployed) and the account forest.

    2) Configure the CA in the resource forest to support cross forest enrollment.

    3) Copy certificate templates.

    4) Copy PKI objects to account forest.

    All these above steps are explained in details in the link provided.

    Hope this link helps.

    Wednesday, April 18, 2012 1:30 PM

All replies

  • are these domains members of the same forest? If not, both domains/forests must trust CA root certificate, and both forest must be able to download CRL files.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, April 18, 2012 8:42 AM
  • There are different AD Forests but i have Two Way Trust established.


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Wednesday, April 18, 2012 9:54 AM
  • Is it a transitive Forest trust?

    Brian

    Wednesday, April 18, 2012 12:09 PM
  • forest trust doesn't matter, because PKI trust don't depend on AD trust. This means that in the second forest you should publish root certificate to AD:

    certutil -dspublish -f path\file.crt RootCA

    also make sure if CRL URLs are reachable from the second forest.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, April 18, 2012 12:10 PM
  • Hi,

    If I understand your question, you want to enable cross forest enrollment.

    To enable cross forest enrollment  follow the steps mentioned at:

    http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx

    Basically the entire procedure can be divided into four steps:

    1) Create a two way trust between the resource forest( forest where ADCS is deployed) and the account forest.

    2) Configure the CA in the resource forest to support cross forest enrollment.

    3) Copy certificate templates.

    4) Copy PKI objects to account forest.

    All these above steps are explained in details in the link provided.

    Hope this link helps.

    Wednesday, April 18, 2012 1:30 PM
  • Hi Gargimitra,

    This is what exactly i was looking for.

    Thanks,

    Maqsood



    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Thursday, April 19, 2012 8:21 AM
  • I have a similar question but the domains are in same forest. Do I still have to enable cross forest enrollment?

    Thanks


    Kris

    Wednesday, August 19, 2015 11:45 AM
  • No. There is no need for cross-forest enrollment when only a single forest exists.

    Brian

    Wednesday, August 19, 2015 11:48 AM
  • Thanks Brian for your quick response. To make sure I don't run into issues after setting up the PKI, my scenario is as follows. I have a parent domain, say parent and child domains at same level as child1, child2 and child3. If I install AD CS on a server in domain child1, should I be concerned about any issues in certificate issuance to systems, users in child2 and child3 domains.



    Kris

    Wednesday, August 19, 2015 12:04 PM
  • As long as you modify the permissions on the certificate template to allow global groups from the child domains and root domain to Read and Enroll certificates, it will work fine.

    Typically, you will create Universal groups in a single domain (assign Read and Enroll perms - and sometime Autoenroll) to the universal groups. You then populate the universal groups with global groups from each domain (root and all child)

    Brian

    • Proposed as answer by Krisb10 Wednesday, August 19, 2015 1:01 PM
    Wednesday, August 19, 2015 12:58 PM
  • We ran into a strange problem after migrating the CA to new infrastructure. We have migrated Domain Controller certificates to new CA. Apparently the Domain Controller certificates were not automatically renewed when they were due. Upon investigation we find that the new Root CA is not trusted on the domain controllers.

    Another computer certificate template is configured and most of the computers having rights have got the certificate. However we find that the Domain Controllers have not got this certificate as well.

    Did anyone encounter this kind of an issue? Are there any options we could try to identify the cause?


    Kris

    Wednesday, January 13, 2016 11:28 AM