Cross Forest Certificate Services
I am in the process of testing and eventually deploying CS for my Active Directory domain. The certs will only be used for securing communications between web servers and clients (probably only about 15-20 certs). My environment is such that we have two
domains that have a two-way trust relationship. All user account reside in the domain where we plan on deploying CS. However, the other domain does have servers that are accessed for web services, sql, etc. My question is this - if I setup the AD/CS in the
user accoutn domain, will the certs be valid for the other trusted domain.
wjk
May 11th, 2012 8:25am
I am in the process of testing and eventually deploying CS for my Active Directory domain. The certs will only be used for securing communications between web servers and clients (probably only about 15-20 certs). My environment is such that we have two
domains that have a two-way trust relationship. All user account reside in the domain where we plan on deploying CS. However, the other domain does have servers that are accessed for web services, sql, etc. My question is this - if I setup the AD/CS in the
user accoutn domain, will the certs be valid for the other trusted domain.
wjk
Hello,
For security questions, ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
However, you can see this article about Cross-forest certificate enrollment: http://technet.microsoft.com/en-us/library/ff955845%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 8:35am
Hi,
According to your description ,I think you are trying to setup cross forest enrollment in Windows 2008 environment which is not possible/
Cross forest enrollment is new feature introduced in Windows Server 2008 R2 onwards. This feature is not applicable for 2k8.
http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
The above link gives you a detailed idea about cross forest enrollment.
May 11th, 2012 8:53am
I am in the process of testing and eventually deploying CS for my Active Directory domain. The certs will only be used for securing communications between web servers and clients (probably only about 15-20 certs). My environment is such that we have two
domains that have a two-way trust relationship. All user account reside in the domain where we plan on deploying CS. However, the other domain does have servers that are accessed for web services, sql, etc. My question is this - if I setup the AD/CS in the
user accoutn domain, will the certs be valid for the other trusted domain.
Also, most docs that I have seen list Server 2008 R2 for setup. The two domains in my environment are Server 2008 (not R2). The plan is to set this up on a member server(s). If they are R2, will this be supported or will they need to be 2008 (non-R2) only?wjk
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 8:56am
Hi,
According to your description ,I think you are trying to setup cross forest enrollment in Windows 2008 environment which is not possible/
Cross forest enrollment is new feature introduced in Windows Server 2008 R2 onwards. This feature is not applicable for 2k8.
http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
The above link gives you a detailed idea about cross forest enrollment.
May 11th, 2012 9:01am
Yes, you can CA services configured on one of the domain to issue cert for both the domains and there is no necessity to configure CA for both the domain.
You can refer CA design guidelines in the below link.
http://awinish.wordpress.com/2010/12/29/designing-and-implementing-a-pki/
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 2:08am
Hi,
Windows Server 2008 R2 adds a number of new features to Certificate Services.
These features include:
Cross-Forest enrollment- Windows 2008 R2 Supports Cross-Forest enrollment which will allow a CA or multiple CAs in one forest to support clients in multiple Forests.
Certificate Enrollment Web Service and Policy Service- Allows clients to enroll for certificates over web interfaces. This new capability allows clients to retrieve certificates even if they are not located on the same physical network as Active Directory
and the CA. Clients query the Enrollment Policy Service, to determine which Certificates they should enroll for, the Enrollment Policy Service contacts Active Directory and responds to the client with CA and Certificate Template information. The client then
queries the Enrollment Web Service, to enroll for certificates. The Enrollment Web Service than contacts the CA on behalf of the client, and returns the enrolled certificates back to the client.
Non-persistent certificates (not stored in the CA database) - Certificate Templates can be configured to not store certificates in the CA database. The is useful for CAs that issue certificates for network authentication, in which certificates have a lifetime
of hours or days and the storage of the certificates in the database would impact CA performance unnecessarily.
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
May 16th, 2012 6:54am
Hi,
Windows Server 2008 R2 adds a number of new features to Certificate Services.
These features include:
Cross-Forest enrollment- Windows 2008 R2 Supports Cross-Forest enrollment which will allow a CA or multiple CAs in one forest to support clients in multiple Forests.
Certificate Enrollment Web Service and Policy Service- Allows clients to enroll for certificates over web interfaces. This new capability allows clients to retrieve certificates even if they are not located on the same physical network as Active Directory
and the CA. Clients query the Enrollment Policy Service, to determine which Certificates they should enroll for, the Enrollment Policy Service contacts Active Directory and responds to the client with CA and Certificate Template information. The client then
queries the Enrollment Web Service, to enroll for certificates. The Enrollment Web Service than contacts the CA on behalf of the client, and returns the enrolled certificates back to the client.
Non-persistent certificates (not stored in the CA database) - Certificate Templates can be configured to not store certificates in the CA database. The is useful for CAs that issue certificates for network authentication, in which certificates have a lifetime
of hours or days and the storage of the certificates in the database would impact CA performance unnecessarily.
Hope this helps!
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 6:57am