question

RichMarder-1896 avatar image
RichMarder-1896 asked ·

AD CS: Deploying Cross-forest Certificate Enrollment

With reference to the article https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955845(v=ws.10) can somebody please clarify if I already have a Enterprise CA in an Account Forest can I establish a 'Cross Forest Enrollment' with a Resource Forest and maintain the Enterprise CA in the Account Forest or do I have to consolidate this Account Forest CA into the Resource Forest?

The reason I am asking is because we have a small user base in Account Forest and want to integrate these into an AOVPN solution in the Resource Forest.

Thanks in advance for any advise/help.


Rich

windows-serverwindows-active-directorywindows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
FanFan-MSFT answered ·

Hi,
Based on my research, from the management, both the methods you mentioned can be considered.
Since you have only a small user base in Account Forest,for easier management, you can consolidate this Account Forest CA into the Resource Forest .
Not familiar with the AOVPN solution, you may combine various factors and choose an appropriate method.

Following link for your refrence:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955842(v=ws.10)?redirectedfrom=MSDN

Fan

4 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I check the Group policy and the old Root certificate is not Publish there. So probably that the Root CA certificate was published in AD via CERTUTIL -DSPUBLISH, when i browse the services in ADSIEDIT the Old certificate is Publish not only in CN=Certification Authorities. But also in CN=AIA, CN=Enrollement Services and CN=KRA.

Also the old PKI server is also in CN=CDP.
What is the best way to clean this up, that new servers will not get that Expired Certificate?
What is the best way also to cleanup the one in production that already have the expired cert.

0 Votes 0 · ·
FanFan-MSFT avatar image FanFan-MSFT bizcntradmin-7120 ·

Hi,bizcntradmin
It is recommended to post a thread for your questions and it will be easier to collect more users's advices.
Best Regards,

0 Votes 0 · ·

Fan

Thanks for the reply and clarification.

Cheers
Rich

0 Votes 0 · ·

Hi,
You are welcome!
Please feel free to let us know if you need further assistance.
Best Regards,

0 Votes 0 · ·