Cross Forest Certificate Services
I am in the process of testing and eventually deploying CS for my Active Directory domain. The certs will only be used for securing communications between web servers and clients (probably only about 15-20 certs). My environment is such that we have two domains that have a two-way trust relationship. All user account reside in the domain where we plan on deploying CS. However, the other domain does have servers that are accessed for web services, sql, etc. My question is this - if I setup the AD/CS in the user accoutn domain, will the certs be valid for the other trusted domain. wjk
May 11th, 2012 8:25am

I am in the process of testing and eventually deploying CS for my Active Directory domain. The certs will only be used for securing communications between web servers and clients (probably only about 15-20 certs). My environment is such that we have two domains that have a two-way trust relationship. All user account reside in the domain where we plan on deploying CS. However, the other domain does have servers that are accessed for web services, sql, etc. My question is this - if I setup the AD/CS in the user accoutn domain, will the certs be valid for the other trusted domain. wjk Hello, For security questions, ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads However, you can see this article about Cross-forest certificate enrollment: http://technet.microsoft.com/en-us/library/ff955845%28v=ws.10%29.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 8:35am

Hi, According to your description ,I think you are trying to setup cross forest enrollment in Windows 2008 environment which is not possible/ Cross forest enrollment is new feature introduced in Windows Server 2008 R2 onwards. This feature is not applicable for 2k8. http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx The above link gives you a detailed idea about cross forest enrollment.
May 11th, 2012 8:53am

I am in the process of testing and eventually deploying CS for my Active Directory domain. The certs will only be used for securing communications between web servers and clients (probably only about 15-20 certs). My environment is such that we have two domains that have a two-way trust relationship. All user account reside in the domain where we plan on deploying CS. However, the other domain does have servers that are accessed for web services, sql, etc. My question is this - if I setup the AD/CS in the user accoutn domain, will the certs be valid for the other trusted domain. Also, most docs that I have seen list Server 2008 R2 for setup. The two domains in my environment are Server 2008 (not R2). The plan is to set this up on a member server(s). If they are R2, will this be supported or will they need to be 2008 (non-R2) only?wjk
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 8:56am

Hi, According to your description ,I think you are trying to setup cross forest enrollment in Windows 2008 environment which is not possible/ Cross forest enrollment is new feature introduced in Windows Server 2008 R2 onwards. This feature is not applicable for 2k8. http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx The above link gives you a detailed idea about cross forest enrollment.
May 11th, 2012 9:01am

Yes, you can CA services configured on one of the domain to issue cert for both the domains and there is no necessity to configure CA for both the domain. You can refer CA design guidelines in the below link. http://awinish.wordpress.com/2010/12/29/designing-and-implementing-a-pki/ Awinish Vishwakarma - MVP - Directory Services My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 2:08am

Hi, Windows Server 2008 R2 adds a number of new features to Certificate Services. These features include: Cross-Forest enrollment- Windows 2008 R2 Supports Cross-Forest enrollment which will allow a CA or multiple CAs in one forest to support clients in multiple Forests. Certificate Enrollment Web Service and Policy Service- Allows clients to enroll for certificates over web interfaces. This new capability allows clients to retrieve certificates even if they are not located on the same physical network as Active Directory and the CA. Clients query the Enrollment Policy Service, to determine which Certificates they should enroll for, the Enrollment Policy Service contacts Active Directory and responds to the client with CA and Certificate Template information. The client then queries the Enrollment Web Service, to enroll for certificates. The Enrollment Web Service than contacts the CA on behalf of the client, and returns the enrolled certificates back to the client. Non-persistent certificates (not stored in the CA database) - Certificate Templates can be configured to not store certificates in the CA database. The is useful for CAs that issue certificates for network authentication, in which certificates have a lifetime of hours or days and the storage of the certificates in the database would impact CA performance unnecessarily. Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support
May 16th, 2012 6:54am

Hi, Windows Server 2008 R2 adds a number of new features to Certificate Services. These features include: Cross-Forest enrollment- Windows 2008 R2 Supports Cross-Forest enrollment which will allow a CA or multiple CAs in one forest to support clients in multiple Forests. Certificate Enrollment Web Service and Policy Service- Allows clients to enroll for certificates over web interfaces. This new capability allows clients to retrieve certificates even if they are not located on the same physical network as Active Directory and the CA. Clients query the Enrollment Policy Service, to determine which Certificates they should enroll for, the Enrollment Policy Service contacts Active Directory and responds to the client with CA and Certificate Template information. The client then queries the Enrollment Web Service, to enroll for certificates. The Enrollment Web Service than contacts the CA on behalf of the client, and returns the enrolled certificates back to the client. Non-persistent certificates (not stored in the CA database) - Certificate Templates can be configured to not store certificates in the CA database. The is useful for CAs that issue certificates for network authentication, in which certificates have a lifetime of hours or days and the storage of the certificates in the database would impact CA performance unnecessarily. Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 6:57am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics