Dear all, I manage to update CRL and start up the Enterprice CA of DomainB in a MultiDomain single forest enviroment. I try to request a new CERT for one of the server at DomainB and I only see Certificate templates from DomainA CA which in fact its was in production (only for DomainA) before CA DomainB. what should I do to point from a server on domainB to the CA on the DomainB. Its a matter of repplication ???? Hope you unthertand my question. Best

ADCS is forest-wide service. This means that single ADCS instance can issue certificates to any *forest* member. Are you going to decommission CA server installed in DomainA?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Each domain represent geographical continents, so my intention its to deploy on each main data center on each continent ( europe + asia + africa+ america) servers like : AMECA : enterprise subordinate CA AMEREV: enterprise Revocation server and so on for each continent. But the actual situation is : RootCA offline Europe: EURCA EURREV America: AMECA (NO AMEREV in prod for the moment, so AMECA point to EURREV for revocation matters). Hope I'm clear for you. Thansk in advance

The only way I see is to deal with multiple certificate templates and custom permissions on them. Consider the following: you have 2 domains in the same forest DomainAME and DomainEU. You have 2 Enterprise CAs AMECA and EUCA, each is located in respective domain. Each CA should issue similar certificates (client authentication certificates for users and computers), however, each CA should issue certificates only to clients in the respective domain. You have to create 2 set of templates: UserAME and UserEU, ComputerAME and ComputerEU. Assign Read and Enroll permissions on UserAME template to domain users in DomainAME domain. Assign Read and Enroll permissions on UserEU template to domain users in DomainEU domain. Perform the same action for computer templates (use computer accounts from respective domains).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Hi Michael, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.