Share via

LDAP Referrals for cross forest CA enrolment

Candy Luo 12,671 Reputation points Microsoft Vendor
2020-07-15T09:11:21.827+00:00

I am setting up Cross Forest certificate enrolment for 2 forests that have 2 way trusts and an existing mature Enterprise CA in both.

I am using this documentation:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955845(v=ws.10)

In the step by step at 5) it tell me to :

Enable LDAP referral support on enterprise CAs. Start a command prompt, type certutil - setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER.

If I need to back out enabling the cross forest LDAP referrals because of some unforeseen effects, am I able to do this easily? I suspect it is not as simple as re-running the command with DisableLDAPREFERRALS

Would I be looking at a total rebuild of of both enterprise CAs along with all of the current extensive certificate configuration which would clearly be a hugely painful situation?

any help appreciated

Thanks

Thread source link: https://social.technet.microsoft.com/Forums/windows/en-US/a2707ee2-f84a-4001-8d6b-516c742a8e98/ldap-referrals-for-cross-forest-ca-enrolment?forum=winserver8gen

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,542 questions
0 comments
Accepted answer
  1. Teemo Tang 11,361 Reputation points
    2020-07-15T09:31:24.767+00:00

    hank you for posting in our TechNet forum.

    According to our description, if we enable LDAP referral support on enterprise CAs through command prompt, type certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER.

    The above command only changes the following registry value.

    Computer\HKLM_local_Machine\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA-Name\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:

    Old Value:
    EditFlags REG_DWORD = 11014e (1114446)

    New Value:
    EditFlags REG_DWORD = 19014e (1638734)

    12563-1505495.png

    Q1:If I need to back out enabling the cross forest LDAP referrals because of some unforeseen effects, am I able to do this easily? I suspect it is not as simple as re-running the command with DisableLDAPREFERRALS.

    A1:If we want to back to the original registry settings, we can change the above registry value to EditFlags REG_DWORD = 11014e (1114446).

    Q2:Would I be looking at a total rebuild of of both enterprise CAs along with all of the current extensive certificate configuration which would clearly be a hugely painful situation?

    A2: If our CA environment is healthy and we set up cross-forest certificate enrollment. If we do not need cross-forest certificate enrollment, we can remove any one step, then cross-forest certificate enrollment will not work.

    As long as our our CA environment is healthy and work fine, we do not need to rebuild it.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest