Cross-Forest Certificates
Hi,
What does Cross-Forest Certificates require:
FFL/DFL requirements?
Who can request a Certificate:
What should the Windows OS version be (Requester)? 2008 R2?
The Client OS Version? Windows 7 (Requester)
? Is there any
dependencies
to other forest-domain FFL/DDL?
September 19th, 2011 7:13am
All the details and minimum requirements are in the whitepaper
http://technet.microsoft.com/en-us/library/ff955845%28WS.10%29.aspx
- Two-way forest transitive trust is required
- replication of key containers within the Configuration naming context required to account forest from resource forest
- Ldap referrals must be enabled on the CA
- CA must be running Server 2008 R2
- Client must be running Windows XP SP3 or higher
- Selective trust can be used, but all accounts that require certificates (users and computers) must be enabled for cross-forest trust
Brian
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2011 7:47am
Hi Brian,
But what does it require for DFL or FFL!?
Thanks :)
September 19th, 2011 8:24am
To achieve cross-forest trust, you need a Windows Server 2003 FFL. I would recommend the same for the domain
If you are running higher, that is fine too
Brian
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2011 8:43am
But i need to have a microsoft references that exactly show what the
DFL and FFL should be!!
September 19th, 2011 8:45am
sigh...
Look at the cross-forest requirements in the paper and then look at the DFL and FFL levels required to enable cross-forest enrollment, and then you have my answer.
The papers for cross-forest enrollment do not address DFL and FFL directly. Windows 2003 FFL meets the requirements.
If you are unsure, please move to Windows SErver 2008 R2 DFL and FFL.
Brian
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2011 9:20am
I totally agree the papers does not address that anywhere :(
September 19th, 2011 9:28am