AD CS: Managing Cross-forest Certificate Enrollment

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1


Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows ServerĀ® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.

Because cross-forest certificate enrollment requires that PKI objects in all forests are the same, it is necessary to copy PKI objects from the resource forest to the account forests whenever PKI objects in the resource forest are changed.

You can perform this maintenance manually by completing the procedure described in Copying PKI objects to account forests.

However, because manual processes are prone to error and might not be completed regularly or when PKI objects changed, it is recommended to use an automated process based on the PKISync.ps1 script and examples provided in this guide.

Two examples of automation are described in this topic:

  • Using a scheduled task

  • Monitoring AD CS events

Using a scheduled task

The simplest method for maintaining PKI objects for cross-forest ceriticate enrollment is to run the PKISync.ps1 script in a scheduled task.

For best results the task should run frequently. Because PKI objects are not changed frequently, copying them to account forests once daily should work well in most environments.

For information on using scheduled tasks, see

Monitoring AD CS events

Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events that indicate a change to PKI objects.

You must configure auditing on CAs for some AD CS events to be recorded in the event log.

Complete the following procedure on each CA you want to monitor.

To enable AD CS event auditing

  1. Start an MMC console and add the Group Policy Object Editor for the local computer.

  2. In the tree view, click Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

  3. In the details pane, double-click Audit object access.

  4. Click Success, then click OK.

  5. Start the Certification Authority snap-in.

  6. In the tree view, right-click your CA and click Properties.

  7. Click the Auditing tab.

  8. Click Change CA configuration and Change CA security settings, then click OK.

  9. Restart the CA service by using the command sc stop certsvc && sc start certsvc.

The following table lists events you can monitor.

Event Id Event log Event source Description




Active Directory Certificate Services for %1 was started.




The security permissions for Certificate Services changed.




Certificate Services loaded a template.




A Certificate Services template was updated.




A property of Certificate Services changed.

Using automation

Detailed instructions for configuring automation are not provided in this document.

Use the guidance and script provided in this document and any of the following systems to develop a solution that meets the requirements of your organization:

  • System Center Operations Manager can be used to monitor your CAs for events and alert administrators or run custom scripts or code in response to specified events.

  • Windows and Directory Access APIs can be used to subscribe to events on your CA and run custom code to manage PKI objects in AD.

  • Microsoft Forefront Identity Manager or Microsoft Identify Lifecycle Manager can be used to synchronize PKI objects in account forests with objects in the resource forest. See Microsoft Forefront Identity Manager.

AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

AD CS: Deploying Cross-forest Certificate Enrollment

AD CS: Troubleshooting Cross-forest Certificate Enrollment

AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment

AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment