AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2
Updated: January 2, 2012
Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1
Guidance, procedures and scripts for configuring cross-forest certificate enrollment with Windows Server® 2008 R2 in a multiforest environment.
Cross-forest enrollment enables enterprises to deploy a central PKI in one Active Directory Domain Services (AD DS) forest that issues certificates to domain members in other forests.
Enterprises with existing per-forest AD CS deployments can reduce the number of CAs by consolidating certificate templates from multiple forests into a single PKI that serves all forests.
Enterprises with multiforest environments and no PKI can deploy AD CS in one forest to provide enrollment services to all forests.
Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows Server® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.
Two-way forest trusts between a resource forest and account forests.
One or more enterprise CAs running on Windows Server 2008 R2.
Domain member computers in all forests running the following operating systems:
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Terms used in this guide
Resource forest is an AD DS forest in a multiforest environment that is designated to host enterprise CAs running on Windows Server 2008 R2 to enable certificate enrollment for domain members in all forests. The resource forest is considered the master copy of PKI objects stored across all forests.
Account forest is an AD DS forest with domain members that enroll for certificates from an enterprise CA in the resource forest.
New AD CS deployments for cross-forest certificate enrollment
This section describes an example scenario for deploying AD CS for cross-forest enrollment in an enterprise that has little or no PKI.
Example scenario 1 Contoso, Ltd is a large enterprise with multiple AD DS forests, as illustrated in Fig 1. They have not deployed AD CS because of the increased costs associated with deploying and managing a complete AD CS deployment in each forest.
Fig 1. Example multiforest deployment without AD CS
Because AD CS in Windows Server 2008 R2 supports cross-forest certificate enrollment, Contoso Ltd can deploy AD CS in one forest that enables certificate enrollment from domain members in all forests. Figure 2 illustrates a two-tier PKI in Forest A which allows domain members from all forests to enroll for certificates from the enterprise CA in Forest A.
Fig 2. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment
Consolidated AD CS deployments for cross-forest certificate enrollment
Example scenario 2 Contoso, Ltd is a global holding company that has implemented AD CS in a multiforest environment. Because of Contoso, Ltd’s corporate structure, it is necessary to deploy one forest per subsidiary company. With no support for cross-forest certificate enrollment, AD CS was deployed in each forest. A standalone root CA was deployed to be a central trusted root for the PKI and domain members in all forests. The enterprise CA certificates in each forest and all certificates issued to domain members in all forests have a certification path ending at the trusted root CA certificate.
Fig 3. Example multiforest enterprise with per-forest AD CS deployment
With the availability of Windows Server 2008 R2, it is possible to consolidate multiple per-forest AD CS deployments into a single AD CS deployment that enables certificate enrollment from domain members in all forests. By using fewer CAs, Contoso can lower total PKI management costs.
Fig 4. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment.