question

ComputerHabit-1849 avatar image
0 Votes"
ComputerHabit-1849 asked DaisyZhou-MSFT commented

AD CS: Deploying Cross-forest Certificate Enrollment

I’m having trouble with AD CS: Deploying Cross-forest Certificate Enrollment. I’ve followed the article’s for 2012 r2. Things just don’t seem to work.

Right now I can see certificates assigned to a user. I am getting an error about the certificate chain.

I had used dspublish to put my ROOTCA’s and intermediate ca’s crt and Crl in.

Can anyone verify what dspublish commands to use and which certs and crls would be required? Maybe I didn’t publish the certs everywhere or used a wrong switch. A working example would be amazing.


Also in lab I have everything deployed and it works for workstation certs. It is failing for user certs. The error says it cannot find the directory object. It seems like maybe I need to do something with referrals but I don’t know what to do.

87850-image.png

Some extra details:

We have two forests with a full trust relationship
I have one cert server in one forest. I install the addition roles all on the same server. When I installed I didn’t use a service account and opted for machine account. Delegation is setup.


windows-serverwindows-active-directorywindows-server-security
image.png (17.1 KiB)
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are LDAP referrals are enabled on CA?

0 Votes 0 ·

Yes I’ve tried that. I’m not certain that’s correct since it isn’t mentioned in the 2012 documentation.

0 Votes 0 ·
Crypt32 avatar image Crypt32 ComputerHabit-1849 ·

LDAP referrals must be enabled on CA regardless of their OS version.

0 Votes 0 ·
Show more comments

1 Answer

DavidJenkins-7665 avatar image
0 Votes"
DavidJenkins-7665 answered DaisyZhou-MSFT commented

Okay I resolved my issues. It was difficult since the 2012 doc is incomplete and you have to borrow from the 2008 doc to figure it out.

The missing part from the 2012 doc is the adding of the certs. The best way to get the certs is to login to the CA Web Service and download the certificate chain. Save each certificate in the chain. Copy over to the other Forest and install. LDAP Referrals do need to be enabled.

 REM Enable LDAP referral support on enterprise CAs.
 REM certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
        
        
 REM RUN ON DC in remote domain
 REM Verify CA is working
 certutil -config "offlineROOTCA\Cert Root PKI" -ca.cert C:\Scripts\rootcapki.cer 
        
 REM Install certs
 certutil -dspublish -f C:\Scripts\rootcapki.cer RootCA
        
 REM Publish enterprise CA certificates from the resource forest into the NTAuthCertificates and AIA containers in each account forest.
 REM Verify CA is working
 certutil -config "certsrv03.domain.com\Cert Issuing PKI" -ca.cert C:\Scripts\issuingpki.cer
        
 REM Install certs
 certutil -dspublish -f C:\Scripts\issuingpki.cer NTAuthCA
 certutil -dspublish -f C:\Scripts\issuingpki.cer SubCA


Also for my other error that was hard to figure out. The issue came up because we have a Forest that shares the same name space as another Forest. Basically we have overlapping forest names. Full trust and all that.

Ex:
Forest1.com
Forest2.Forest1.com

With this I had to learn about creating LDAP referrals in AD. The article below was so helpful because Microsoft just gave you a vb script.

To use ADSI Edit to create a cross-reference object
1. In ADSI Edit, expand the Configuration container.
2. Right-click the CN=Partitions container, click New , and then click Object .
3. For Select a class , you can create objects of only class crossRef , which is already selected. Click Next .
4. For the cn attribute, in the Value box, type a name that describes the location, and then click Next .
5. For the nCName attribute, in the Value box, type the distinguished name for the external domain, and then click Next .
6. For the dnsHostname attribute, in the Value box, type a DNS name for the server that hosts the domain directory partition, or type the domain name.
7. When you are sure that your entries are correct, click Finish.

From <http://cloud365.in/unable-to-create-crossref-object-in-active-directory/>;

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Thank you for your update and sharing. I am very glad that the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again.

Best Regards,
Daisy Zhou

0 Votes 0 ·