Hello, My organization's Certification Authority lives in the root node of our AD forest. We've just merged with another organization, and two-way trust has been established at the child domain level, but not at the root. There is some demand for users in the other organization's forest to be able to request certificates from my CA. My question is two-fold 1. Is this possible even if a trust were established between our root domain and the other organization's user domain 2. If it is possible, would the trust need to be one-way or two-way? Thanks in advance!

For cross-forest enrollment.- You need a cross -forest trust between the two forests- The trust relationship must be bi-directional- The issuing CA must be running server 2008 R2- certificate template replication must be configured between the two forestsThe details are covered in the following whitepaper:http://www.microsoft.com/downloads/details.aspx?familyid=D408BE72-7C74-4B19-A2DE-FA11858C30B2&displaylang=enBrian

Thanks, Brian. We probably won't pursue this since the CA is Win2K3 and is slated to be decommissioned relatively soon, but I'll definitely tuck that white paper in my back pocket!

What you could do if there is a PKI in the other org is cross-certificationThis will work with 2k3http://technet.microsoft.com/en-us/library/cc787237(WS.10).aspxBrian