AD Cross Forests Certificate Request for SCCM IBCM functionality

Hi All,

I am referring the below TechNet article to create certificate templates required for IBCM in SCCM 2012 SP1.

https://technet.microsoft.com/en-us/library/gg682023.aspx

https://technet.microsoft.com/en-in/library/bb694035.aspx

Let me describe my scenario:

I have two AD Forests. ABINDIA.COM and ABCINFRA.COM Two way trust exists in between two forests.

SCCM 2012 SP1 Primary Site Server is installed in ABCINFRA.COM domain / forest. SCCM Server is managing clients in ABINDIA.COM domain /  forest. SCCM Site Server is on Windows Server 2008 R2.

Windows CA Server is installed in ABINDIA.COM domain and it is on Windows Server 2003 OS.

I need to provide IBCM solution for existing SCCM hierarchy. IBCM Site Server will be on Windows Server 2012 RTM and will be in ABCINFRA.COM domain. Hence with referring to articles above mentioned, I need clarification on the below points:

1. Can SCCM 2012 SP1 Primary Site Server and IBCM Site Server requests certificates from Windows CA Server which is in different forest and on Windows Server 2003 OS?

2. If Yes, how can I publish the templates created in ABINDIA.COM domain CA Server to ABCINFRA.COM domain member servers so that they can request certificates across forests.

3. Managing Clients will be in ABINDIA.COM domain and as per my understanding there will not be an any issue to request certificates from CA Server which is in same domain. However can IBCM Site Server authenticate the ABINDIA.COM client computer based on client computer certificate.

Thanks & regards,

Kedar

January 30th, 2015 3:00pm

Hi Kedar,

As far as I know, we can use Certificate Enrollment Web Services to request certificates from another forest when there is no forest trust in place. It would surely work with two way trust in your case.

AD CS: Deploying Cross-forest Certificate Enrollment

https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx

I will try to test if I can request certificates across forests without Certificate Enrollment Web Services when I have the time.

Best Regards,
Amy

Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 12:13pm

Hi Amy,

Looking into the link shared, it is applicable to CA Server with Windows Server 2008 R2.

In my environment, I have CA Server which is on Windows Server 2003 OS Hence need clarification on this.

Thanks for replying.

February 2nd, 2015 12:48pm

no, Windows Server 2003 and Windows Server 2008 cannot be used in cross-forest environments. Only Windows Server 2008 R2 and newer.

Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2015 4:25am

Hi Vadims,

Thanks for clarification. I just had as another thought to achieve this. Do let me know if this can be feasible.

If I put Windows Server 2008 R2 and above OS Certification Authority Server in ABCINFRA.COM domain, can clients from ABINDIA.COM domain request certificates from this CA server?

If Yes how can I achieve this?

February 3rd, 2015 4:57am

> ABCINFRA.COM domain, can clients from ABINDIA.COM domain request certificates from this CA server?

yes. Refer to cross-forest certificate enrollment guide.

Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2015 6:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics