+ All Categories
Home > Documents > AD CS Cross Forest

AD CS Cross Forest

Date post: 10-Oct-2015
Category:
Upload: sorin-constantinescu
View: 421 times
Download: 49 times
Share this document with a friend
Description:
AD CS Cross Forest
42
 Cross-forest Certificate Enrollment with Windows Server 2008 R2 Microsoft Corporation Published: August 31, 2010 Abstract Windows Server® 2008 R2 allows enterprises to issue digital certificates from an enterprise Certification Authority (CA) to the clients that are members of a different Active Directory Domain Services (AD DS) forest. This process is called cross-forest certificate enrollment. This white paper will explain how the cross-forest certificate enrollment works. It will also provide deployment guidance for new and existing Active Directory Certificate Services (AD CS) deployments. The paper will cover strategies for consolidating existing certificate templates that may be already in use in the enterprise. It will present choices for ongoing management of the cross-forest certificates deployment. A PowerShell script is also provided to facilitate management tasks related to setting up and maintaining cross-forest certificate enrollment environment.
Transcript
  • Cross-forest Certificate Enrollment with Windows Server 2008 R2

    Microsoft Corporation

    Published: August 31, 2010

    Abstract

    Windows Server 2008 R2 allows enterprises to issue digital certificates from an enterprise

    Certification Authority (CA) to the clients that are members of a different Active Directory Domain

    Services (AD DS) forest. This process is called cross-forest certificate enrollment. This white

    paper will explain how the cross-forest certificate enrollment works. It will also provide

    deployment guidance for new and existing Active Directory Certificate Services (AD CS)

    deployments. The paper will cover strategies for consolidating existing certificate templates that

    may be already in use in the enterprise. It will present choices for ongoing management of the

    cross-forest certificates deployment. A PowerShell script is also provided to facilitate

    management tasks related to setting up and maintaining cross-forest certificate enrollment

    environment.

  • Copyright Information This document is provided for informational purposes only and Microsoft makes no warranties,

    either express or implied, in this document. Information in this document, including URL and

    other Internet Web site references, is subject to change without notice. The entire risk of the use

    or the results from the use of this document remains with the user. Unless otherwise noted, the

    example companies, organizations, products, domain names, e-mail addresses, logos, people,

    places, and events depicted herein are fictitious, and no association with any real company,

    organization, product, domain name, e-mail address, logo, person, place, or event is intended or

    should be inferred. Complying with all applicable copyright laws is the responsibility of the user.

    Without limiting the rights under copyright, no part of this document may be reproduced, stored in

    or introduced into a retrieval system, or transmitted in any form or by any means (electronic,

    mechanical, photocopying, recording, or otherwise), or for any purpose, without the express

    written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

    property rights covering subject matter in this document. Except as expressly provided in any

    written license agreement from Microsoft, the furnishing of this document does not give you any

    license to these patents, trademarks, copyrights, or other intellectual property.

    2008 Microsoft Corporation. All rights reserved.

    Active Directory, Microsoft, and Windows Server are trademarks of the Microsoft group of

    companies.

    All other trademarks are property of their respective owners.

  • Contents

    AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 ................................... 4

    Technical requirements ................................................................................................................ 4

    Terms used in this guide .............................................................................................................. 4

    New AD CS deployments for cross-forest certificate enrollment ................................................. 5

    Consolidated AD CS deployments for cross-forest certificate enrollment ................................... 6

    AD CS: Deploying Cross-forest Certificate Enrollment ................................................................... 8

    Deploying AD CS for cross-forest certificate enrollment .............................................................. 9

    Consolidating certificate templates from multiple forests ........................................................... 11

    Copying account forest certificate templates into the resource forest .................................... 11

    Consolidating certificate templates with similar purposes from multiple account forests ....... 13

    Consolidating version 2 and version 3 default certificate templates ....................................... 15

    Consolidating version 1 default certificate templates ............................................................. 16

    Copying PKI objects to account forests ..................................................................................... 17

    Support for CA Web Enrollment ................................................................................................. 18

    Decommissioning CAs in account forests .................................................................................. 18

    AD CS: Managing Cross-forest Certificate Enrollment.................................................................. 19

    Using a scheduled task .............................................................................................................. 19

    Monitoring AD CS events ........................................................................................................... 19

    Using automation ....................................................................................................................... 20

    AD CS: Troubleshooting Cross-forest Certificate Enrollment ....................................................... 21

    PKI object synchronization issues .............................................................................................. 21

    Public key containers or default certificate templates deleted ................................................... 22

    Certutil connection errors when connecting to a CA .................................................................. 22

    AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment ............................................. 22

    Saving PKISync.ps1 ................................................................................................................... 22

    Subsection Heading ................................................................................................................ 36

    AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment ....................................... 36

    Saving DumpADObj.ps1 ............................................................................................................ 36

    Online Version ............................................................................................................................... 42

  • 4

    AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

    Guidance, procedures and scripts for configuring cross-forest certificate enrollment with Windows

    Server 2008 R2 in a multiforest environment.

    Cross-forest enrollment enables enterprises to deploy a central PKI in one Active

    Directory Domain Services (AD DS) forest that issues certificates to domain members in other

    forests.

    Enterprises with existing per-forest AD CS deployments can reduce the number of CAs by

    consolidating certificate templates from multiple forests into a single PKI that serves all forests.

    Enterprises with multiforest environments and no PKI can deploy AD CS in one forest to provide

    enrollment services to all forests.

    Technical requirements Two-way forest trusts between a resource forest and account forests.

    One or more enterprise CAs running on Windows Server 2008 R2.

    Domain member computers in all forests running the following operating systems:

    Windows XP

    Windows Server 2003

    Windows Vista

    Windows Server 2008

    Windows 7

    Windows Server 2008 R2

    Terms used in this guide Resource forest is an AD DS forest in a multiforest environment that is designated to host

    enterprise CAs running on Windows Server 2008 R2 to enable certificate enrollment for domain

    members in all forests. The resource forest is considered the master copy of PKI objects stored

    across all forests.

    Account forest is an AD DS forest with domain members that enroll for certificates from an

    enterprise CA in the resource forest.

  • 5

    New AD CS deployments for cross-forest certificate enrollment This section describes an example scenario for deploying AD CS for cross-forest enrollment in an

    enterprise that has little or no PKI.

    Example scenario 1 Contoso, Ltd is a large enterprise with multiple AD DS forests, as illustrated

    in Fig 1. They have not deployed AD CS because of the increased costs associated with

    deploying and managing a complete AD CS deployment in each forest.

    Fig 1. Example multiforest deployment without AD CS

    Because AD CS in Windows Server 2008 R2 supports cross-forest certificate enrollment,

    Contoso Ltd can deploy AD CS in one forest that enables certificate enrollment from domain

    members in all forests. Figure 2 illustrates a two-tier PKI in Forest A which allows domain

    members from all forests to enroll for certificates from the enterprise CA in Forest A.

  • 6

    Fig 2. Example multiforest deployment with enterprise CA providing cross-forest

    certificate enrollment

    Consolidated AD CS deployments for cross-forest certificate enrollment Example scenario 2 Contoso, Ltd is a global holding company that has implemented AD CS in a

    multiforest environment. Because of Contoso, Ltds corporate structure, it is necessary to deploy

    one forest per subsidiary company. With no support for cross-forest certificate enrollment, AD CS

    was deployed in each forest. A standalone root CA was deployed to be a central trusted root for

    the PKI and domain members in all forests. The enterprise CA certificates in each forest and all

    certificates issued to domain members in all forests have a certification path ending at the trusted

    root CA certificate.

  • 7

    Fig 3. Example multiforest enterprise with per-forest AD CS deployment

    With the availability of Windows Server 2008 R2, it is possible to consolidate multiple per-forest

    AD CS deployments into a single AD CS deployment that enables certificate enrollment from

    domain members in all forests. By using fewer CAs, Contoso can lower total PKI management

    costs.

  • 8

    Fig 4. Example multiforest deployment with enterprise CA providing cross-forest

    certificate enrollment.

    AD CS: Deploying Cross-forest Certificate Enrollment

    This topic provides guidance and procedures for deploying CAs and configuring AD CS for cross-

    forest certificate enrollment in a multiforest environment.

    To deploy AD CS for cross-forest certificate enrollment, complete the procedures in the following

    sections of this guide:

    Deploying AD CS for cross-forest certificate enrollment describes procedures for deploying

    and configuring AD CS and PKI objects in AD DS. Procedures in this section are used for

    both deployment scenarios.

  • 9

    Consolidating certificate templates from multiple forests describes procedures for

    consolidating certificate templates from multiple per-forest AD CS deployments into a single

    PKI. Consolidation tasks are not required for new AD CS deployments.

    Copying PKI objects to account forests describes procedures and scripts for copying PKI

    objects from AD in the resource forest to account forests. The procedures described for

    copying PKI objects to account forests are required for new AD CS deployments and

    consolidated deployments. After deployment, the procedures for copying PKI objects can be

    used to distribute certificate templates from the resource forest to the account forests, which

    is necessary to maintain consistency of PKI objects in all forests.

    Deploying AD CS for cross-forest certificate enrollment Review this entire guide and plan your deployment.

    Test your deployment plan in a lab or other non-production environment.

    Review this guide again with the test results and improve your plan before production

    deployment.

    Complete the procedure to deploy and configure AD CS for both cross-forest scenarios: New

    AD CS deployments and Consolidated AD CS deployments.

    To deploy and configure AD CS

    1. Designate a resource forest. All other forests participating in cross-forest certificate

    enrollment are account forests. AD CS is deployed in the resource forest to provide certificate

    enrollment services to domain members in all account forests.

    When consolidating AD CS deployments from multiple forests, you can designate an existing

    account forest as the resource forest. In many cases, the forest with the largest number of

    CAs is the best candidate for being designated a resource forest.

    Alternatively, a resource forest can be used solely for management of account forests and

    hosting AD CS for cross-forest enrollment. Two-way trusts between the resource forest and

    each account forest are required but trust relationships between account forests are not

    required for cross-forest enrollment.

    2. Create a two-way forest trust between the resource forest and account forests. See

    Create a two-way, forest trust for both sides of the trust.

    If Selective Authentication is required for the forest trust, the following permissions

    are required:

    Domain member computers and users in account forests must have Allow authenticate

    permissions to the enterprise CAs in the resource forest.

    Enterprise CAs in the resource forest must have Allow authenticate permissions to the

    domain controllers in each account forest.

    Administrators that run the scripts provided with this guide must have Allow

    authenticate permissions to the domain controllers in all forests. For example, if the

    Notes

  • 10

    scripts are run on a domain member computer in the resource forest, the administrator

    must have Allow authenticate permissions in each account forest.

    3. Establish a root CA in the resource forest by deploying a new root CA or by designating

    an existing standalone or enterprise root CA.

    4. Install or upgrade one or more enterprise CAs running on Windows Server 2008 R2 in the

    resource forest.

    Depending on your environment, the degree to which you are using existing PKI

    resources, and your level of experience with AD CS, the following references might

    be helpful for planning a new AD CS deployment or migrating existing AD CS

    deployments to Windows Server 2008 R2.

    AD CS Advanced Lab Scenario

    Active Directory Certificate Services Migration Guide

    5. Enable LDAP referral support on enterprise CAs. Start a command prompt, type certutil -

    setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER.

    6. Add enterprise CA computer accounts to Cert Publishers group in each account

    forest. See example procedures at Add a member to a group. Restart the CA by using net

    stop certsvc && net start certsvc.

    7. Configure authority information access and CRL distribution point locations. See

    Specify CA certificate access points in issued certificates. In addition to specifying the

    access point locations in certificate templates, you must ensure that the network locations

    specified in certificates are online and are accessible from domain members in all resource

    forests. The locations can be either LDAP or HTTP depending on your certificate template

    configuration. See Configuring Certificate Revocation.

    8. Publish the root CA certificate from the resource forest to the account forests by using

    Certutil.exe at a command prompt to run the following commands:

    a. certutil -config \ -ca.cert

    If you run the command on the root CA you can omit the connection information, -config

    \.

    b. certutil -dspublish -f RootCA

    9. Publish enterprise CA certificates from the resource forest into the NTAuthCertificates

    and AIA containers in each account forest.

    a. certutil -config \ -ca.cert

    b. certutil -dspublish -f NTAuthCA

    c. certutil -dspublish -f SubCA

    Next, you must prepare certificate templates for the certificates required by domain member

    computers and users in all forests.

    If you are performing a new AD CS deployment, the default certificate templates in the resource

    forest can be used or custom templates can be created to meet your requirements.

    Notes

  • 11

    Review the list of Default certificate templates.

    Creating custom certificate templates requires that you have the required information and

    technical understanding to configure all required certificate template properties. For more

    information,

    To use the default certificate templates in the resource forest, skip the section on Consolidating

    certificate templates and continue at Copying PKI objects to account forests.

    To customize the default certificate templates, see Creating Certificate Templates. Continue at

    Copying PKI objects to account forests after you are finished customizing the certificate

    templates in the resource forest.

    If you are consolidating AD CS from multiple forests that have custom certificate templates which

    you must continue to use, then review the next section, Consolidating certificate templates from

    multiple forests, and complete the procedures that best meet your requirements.

    Consolidating certificate templates from multiple forests Because AD CS deployments can vary greatly, the exact steps you must take to consolidate your

    existing certificate templates cannot be described in this guide.

    The goal is to reduce the number of CAs and certificate templates in a multiforest environment by

    creating a set of certificate templates issued by resource forest CAs that provide certificates to

    domain members in all forests.

    Based on the number of forests and certificate templates in your environment, the timeframe you

    have to complete AD CS consolidation, and the requirements of your organization, you can use a

    combination of procedures described in this section to define the set of certificate templates

    issued by your resource forest CAs.

    For each certificate template you plan to issue from the resource forest, consider which of the

    following methods best meets the goals and requirements of your organization and complete the

    procedures described in that section.

    Copying account forest certificate templates into the resource forest

    Consolidating certificate templates with similar purposes from multiple account forests

    Consolidating version 2 and version 3 default certificate templates

    Consolidating version 1 default certificate templates

    The procedures described in this section require the Windows Powershell script PKISync.ps1.

    Complete the procedure To Save PKISync.ps1 to a file.

    Copying account forest certificate templates into the resource forest

    The simplest way to consolidate AD CS from multiple forests into a single resource forest is to

    copy the certificate templates from all account forests into the resource forest and configure

  • 12

    AD CS to issue certificates from the resource forest. Because all certificate templates remain

    available, the rate of certificate enrollment remains steady and there is no impact to users.

    This method reduces the number of CAs in the enterprise but the resource forest might have

    multiple certificate templates for some types of certificates; for example, if certificate templates for

    S/MIME certificates are copied from multiple account forests into the resource forest.

    Complete the procedures from a domain member computer that has access to the resource and

    account forests. Log on using an account with permissions to update AD objects in resource and

    account forests. Members of Domain Admins and Enterprise Admins group have the required

    permissions.

    The procedure must be completed for each certificate template you want to copy into the

    resource forest. You cannot copy multiple certificate templates simultaneously.

    1. Start Windows Powershell. Change the current directory to the location of the

    PKISync.ps1 script.

    2. Copy the certificate template from the account forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Template -cn .

    Note

    If a certificate template in the resource forest has the same name as the

    certificate template you want to copy from the account forest, you must rename

    the certificate template in the account forest before copying the template to the

    resource forest. See Rename a Certificate Template.

    3. Copy the OID container from the account forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Oid f and press ENTER.

    4. Grant administrators permissions on the certificate template in the resource forest.

    Grant Full control to Enterprise admins group, which is the equivalent of default

    certificate template permissions. Alternatively, you can define custom permissions

    according to your organizations security policy. See the Security Tab section of

    Extensions Tab.

    5. Grant domain members permissions on the certificate template in the resource

    forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The

    access control list defined on the certificate template in the account forest is preserved

    during the copy operation, but you should verify permissions are correct and grant

    permissions to additional users in other account forests as needed. See the Security

    Tab section of Administering Certificate Templates.

    6. Publish the root CA certificate from the account forest to the resource forest by using

    Certutil.exe at a command prompt to run the following commands:

    a. certutil -config \ -ca.cert

    If you are logged on to the CA you can omit the connection information, -config

    To copy certificate templates from an account forest to the resource forest

  • 13

    \ to connect to the local CA.

    b. certutil -dspublish -f RootCA

    7. Publish enterprise CA certificates from the account forest into the

    NTAuthCertificates and AIA containers in the resource forest.

    a. certutil -config \ -

    ca.cert

    b. certutil -dspublish -f NTAuthCA

    c. certutil -dspublish -f SubCA

    Note

    Steps 6 and 7 are required because renewal requests can be signed by

    certificates issued by CAs in the account forests. The CA certificates from the

    account forests are required for issued certificates from account forests to be

    valid in the resource forest.

    8. Assign the certificate template to an enterprise CA in the resource forest. See Add

    a Certificate Template to a Certification Authority.

    9. Copy the assigned enterprise CA object from the resource forest by using the

    command .\PKISync.ps1 -sourceforest -targetforest

    -type CA -cn f. To

    determine the CA sanitized name, log on to the CA, start a command prompt, type

    Certutil.exe and press ENTER. The sanitized name is displayed in the command output.

    10. Copy the certificate template object from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Template -cn f.

    11. Remove the old certificate template from enterprise CAs in the account forest by

    using the Certification Authority snap-in. Click Certificate Templates, right-click the

    old certificate template, and click Delete.

    Consolidating certificate templates with similar purposes from multiple account forests

    Instead of combining certificate templates from all account forests and managing redundant

    certificate templates (as described in the previous section), you can minimize the number of

    certificate templates in the resource forest by reviewing the certificate templates issued in each

    account forest based on cryptographic purpose and certificate template properties. Define a set of

    certificate templates for the resource forest that can replace all certificate templates in the

    account forests.

    When consolidating certificate templates from multiple account forests into a single set of

    templates in the resource forest, two approaches are available.

    1. Stop issuing certificates in account forests by removing all certificate templates from account

    forest CAs, and publish certificate templates in the resource forest for all certificate types

    required in the account forests. Because certificates issued in the account forest remain valid

    until they expire, this method does not cause a spike in certificate enrollment and has low

  • 14

    user impact. However, until existing certificates issued by the account forest expire, two valid

    certificates for the same purpose are found in a users certificate store which might result in a

    user prompt for certificate selection and possibly increased help desk calls. Additionally, you

    must continue to publish CRLs and CA certificates for the account forest PKI.

    2. Publish certificate templates in the resource forest which supersede certificate templates in

    account forests, and force immediate reenrollment. This method causes a spike in certificate

    enrollment because all domain members will enroll for the new certificate within a short

    period of time. However, AD CS resources in account forests can be decommissioned

    sooner.

    The procedure To consolidate certificate templates can be used for both approaches. Steps

    for superseding are noted.

    Complete the procedures from a domain member computer that has access to the resource and

    account forests. Log on using an account with permissions to update AD objects in resource and

    account forests. Members of Domain Admins and Enterprise Admins group have the required

    permissions.

    The procedure must be completed for each certificate template type you want to issue from the

    resource forest.

    1. Copy certificate templates from account forests by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Template -cn .

    2. Copy the OID container from account forests by using the command .\PKISync.ps1 -

    sourceforest -targetforest -type Oid

    f.

    3. If you are superseding certificate templates from account forests, repeat steps 1

    and 2 for all certificate templates in account forests that are superseded by the new

    certificate template in the resource forest.

    4. Duplicate a certificate template you copied from an account forest, and customize

    if necessary. See Creating Certificate Templates.

    5. Grant administrators permissions on the certificate template in the resource forest.

    Grant Full control to Enterprise admins group, which is the equivalent of default

    certificate template permissions. Alternatively, you can define custom permissions

    according to your organizations security policy. See the Security Tab section of

    Extensions Tab.

    6. Grant domain members permissions on the certificate template in the resource

    forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The

    access control list defined on the certificate template in the account forest is preserved

    during the copy operation, but you should verify permissions are correct and grant

    permissions to additional users in other account forests as needed. See the Security

    Tab section of Administering Certificate Templates.

    7. (Optional) Supersede certificate templates from account forests by using the

    Certificate Templates snap-in to add all superseded certificate templates from account

    To consolidate certificate templates

  • 15

    forests to the Superseded templates tab on the certificate template properties sheet.

    See Supersede Templates.

    8. Assign the certificate template to an enterprise CA in the resource forest. See Add

    a Certificate Template to a Certification Authority.

    9. Copy the assigned enterprise CA object from the resource forest by using the

    command .\PKISync.ps1 -sourceforest -targetforest

    -type CA -cn f. To

    determine the CA sanitized name, log on to the CA, start a command prompt, type

    Certutil.exe and press ENTER. The sanitized name is displayed in the command output.

    Note

    If you are superseding certificate templates from account forests, repeat steps 9

    through 12 for each account forest you copied certificate templates from in step

    1.

    10. Copy the certificate template object from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Template -cn f.

    11. Copy the OID container from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Oid f.

    12. Remove the old certificate template from enterprise CAs in the account forest by

    using the Certification Authority snap-in. Click Certificate Templates, right-click the

    old certificate template, and click Delete.

    Consolidating version 2 and version 3 default certificate templates

    Because default certificate templates have the same names in all forests, the simplest approach

    to consolidating version 2 and version 3 default certificate templates from multiple forests is to

    use the default certificate templates in the resource forest and stop issuing certificates based on

    the default templates in the account forests. Because certificates issued in the account forest

    remain valid until they expire, this method does not cause a spike in certificate enrollment and

    has low user impact. However, until existing certificates issued by the account forest expire, two

    valid certificates for the same purpose in a users profile might result in a user prompt for

    certificate selection which could cause increased help desk calls. Additionally, you must continue

    to publish CRLs and CA certificates for the account forest.

    Alternatively, you can supersede existing certificates in account forests by creating new certificate

    templates in the resource forest and configuring them to supersede certificate templates in all

    account forests. This method causes a spike in certificate enrollment because all domain

    members will enroll for the new certificate within a short period of time. This method causes a

    spike in certificate enrollment because all domain members will enroll for the new certificate

  • 16

    within a short period of time, however AD CS resources in account forests can be

    decommissioned immediately.

    1. Duplicate a version 2 or version 3 default certificate template, and customize if

    necessary. See Creating Certificate Templates.

    2. Grant administrators permissions on the certificate template in the resource forest.

    Grant Full control to Enterprise admins group, which is the equivalent of default

    certificate template permissions. Alternatively, you can define custom permissions

    according to your organizations security policy. See the Security Tab section of

    Extensions Tab.

    3. Grant domain members permissions on the certificate template in the resource

    forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all

    account forests. See the Security Tab section of Administering Certificate Templates.

    4. (Optional) Supersede certificate templates from account forests by using the

    Certificate Templates snap-in to add all superseded certificate templates from account

    forests to the Superseded templates tab on the certificate template properties sheet.

    See Supersede Templates.

    5. Assign the certificate template to an enterprise CA in the resource forest. See Add

    a Certificate Template to a Certification Authority.

    6. Copy the assigned enterprise CA object from the resource forest by using the

    command .\PKISync.ps1 -sourceforest -targetforest

    -type CA -cn f. To

    determine the CA sanitized name, log on to the CA, start a command prompt, type

    Certutil.exe and press ENTER. The sanitized name is displayed in the command output.

    Note

    If you are superseding certificate templates from account forests, repeat steps 6

    through 9 for each account forest you copied certificate templates from in step 1.

    7. Copy the certificate template object from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Template -cn f.

    8. Copy the OID container from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Oid f.

    9. Remove the old certificate template from enterprise CAs in the account forest by

    using the Certification Authority snap-in. Click Certificate Templates, right-click the

    old certificate template, and click Delete.

    Consolidating version 1 default certificate templates

    For each version 1 default certificate you want to issue, complete the following procedure.

    To consolidate version 2 and version 3 default certificate templates

  • 17

    1. Grant domain members permissions on the certificate template in the resource

    forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all

    account forests. See the Security Tab section of Administering Certificate Templates.

    2. Assign the certificate template to an enterprise CA in the resource forest. See Add

    a Certificate Template to a Certification Authority.

    3. Copy the assigned enterprise CA object from the resource forest by using the

    command .\PKISync.ps1 -sourceforest -targetforest

    -type CA -cn f. To

    determine the CA sanitized name, log on to the CA, start a command prompt, type

    Certutil.exe and press ENTER. The sanitized name is displayed in the command output.

    4. Copy the certificate template object from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Template -cn f.

    5. Copy the OID container from the resource forest by using the command

    .\PKISync.ps1 -sourceforest -targetforest -type Oid f.

    6. Remove the old certificate template from enterprise CAs in the account forest by

    using the Certification Authority snap-in. Click Certificate Templates, right-click the

    old certificate template, and click Delete.

    Copying PKI objects to account forests Certificate enrollment objects in AD DS environments are stored in three containers which must

    be copied from the resource forest to account forests to maintain consistency across all forests

    that are participating in cross-forest certificate enrollment. A Windows Powershell script is

    provided for copying and managing the following PKI objects in AD.

    Enrollment services

    Certificate templates

    OID

    In cross-forest enrollment deployments described in this guide, the resource forest is the master

    copy of PKI objects. The PKI objects described in this section must be the same in all forests.

    To maintain consistency across all forests, copy PKI objects in the resource forest should to

    account forests frequently. Scripts and examples for automated copying are described in AD CS:

    Managing Cross-forest Certificate Enrollment.

    You can use PKISync.ps1 during initial deployment and to keep resource and account forest PKI

    objects synchronized.

    PKISync.ps1 copies objects in the source forest to the target forest. Objects in the source forest

    are not changed by script operations.

    To consolidate version 1 default certificate templates

  • 18

    CA certificates are not copied by PKISync.ps1. When CA certificates are renewed, you must

    manually publish the CA certificates to account forests by using the commands described in

    Deploying AD CS for cross-forest certificate enrollment.

    First, complete the procedure to save PKISync.ps1 to a file, as described in AD CS: PKISync.ps1

    Script for Cross-forest Certificate Enrollment

    Next, complete the following procedure.

    1. Start Windows Powershell.

    2. Type .\PKISync.ps1 -sourceforest -targetforest

    [-f] and press ENTER. When copying from the resource forest,

    is the DNS name of the resource forest and is

    the DNS name of an account forest.

    Warning

    [-f] is an optional argument. When [-f] is used, objects in

    are deleted and replaced by objects with the same name from

    . When [-f] is not used, you are prompted to confirm before

    objects are deleted.

    3. Repeat for each account forest.

    Support for CA Web Enrollment The following table describes the support for using CA web enrollment with CAs in the resource

    forest that are configured for cross-forest certificate enrollment.

    Forest CA web

    enrollment is hosted in

    CA web enrollment

    installed on CA

    Type of delegation Is supported

    Resource Yes Not required Yes

    Resource No Computer Yes

    Resource No Constrained Yes

    Account No Computer Yes

    Account No Constrained No

    Decommissioning CAs in account forests A goal of deploying cross-forest certificate enrollment is to reduce the number of CAs in an

    enterprise.

    To copy PKI objects by using PKISync.ps1

  • 19

    After certificate templates have been removed from a CA in an account forest, the CA can be

    decommissioned.

    Complete the procedures described in section Removing a CA from Active Directory in CA

    Maintenance.

    AD CS: Managing Cross-forest Certificate Enrollment

    Because cross-forest certificate enrollment requires that PKI objects in all forests are the same, it

    is necessary to copy PKI objects from the resource forest to the account forests whenever PKI

    objects in the resource forest are changed.

    You can perform this maintenance manually by completing the procedure described in Copying

    PKI objects to account forests.

    However, because manual processes are prone to error and might not be completed regularly or

    when PKI objects changed, it is recommended to use an automated process based on the

    PKISync.ps1 script and examples provided in this guide.

    Two examples of automation are described in this topic:

    Using a scheduled task

    Monitoring AD CS events

    Using a scheduled task The simplest method for maintaining PKI objects for cross-forest ceriticate enrollment is to run the

    PKISync.ps1 script in a scheduled task.

    For best results the task should run frequently. Because PKI objects are not changed frequently,

    copying them to account forests once daily should work well in most environments.

    For information on using scheduled tasks, see

    Monitoring AD CS events Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events

    that indicate a change to PKI objects.

    You must configure auditing on CAs for some AD CS events to be recorded in the event log.

    Complete the following procedure on each CA you want to monitor.

    1. Start an MMC console and add the Group Policy Object Editor for the local computer.

    2. In the tree view, click Computer Configuration\Windows Settings\Security

    Settings\Local Policies\Audit Policy.

    To enable AD CS event auditing

  • 20

    3. In the details pane, double-click Audit object access.

    4. Click Success, then click OK.

    5. Start the Certification Authority snap-in.

    6. In the tree view, right-click your CA and click Properties.

    7. Click the Auditing tab.

    8. Click Change CA configuration and Change CA security settings, then click OK.

    9. Restart the CA service by using the command sc stop certsvc && sc start certsvc.

    The following table lists events you can monitor.

    Event Id Event log Event source Description

    26 Application Microsoft-Windows-

    CertificationAuthority

    Active Directory Certificate

    Services for %1 was

    started.

    4882 Security Microsoft-Windows-

    Security-Auditing

    The security permissions

    for Certificate Services

    changed.

    4892 Security Microsoft-Windows-

    Security-Auditing

    Certificate Services loaded

    a template.

    4899 Security Microsoft-Windows-

    Security-Auditing

    A Certificate Services

    template was updated.

    4892 Security Microsoft-Windows-

    Security-Auditing

    A property of Certificate

    Services changed.

    Using automation Detailed instructions for configuring automation are not provided in this document.

    Use the guidance and script provided in this document and any of the following systems to

    develop a solution that meets the requirements of your organization:

    System Center Operations Manager can be used to monitor your CAs for events and alert

    administrators or run custom scripts or code in response to specified events.

    Windows and Directory Access APIs can be used to subscribe to events on your CA and

    run custom code to manage PKI objects in AD.

    Microsoft Forefront Identity Manger or Microsoft Identify Lifecycle Manager can be used to

    synchronize PKI objects in account forests with objects in the resource forest. See Microsoft

    Forefront Identity Manager.

  • 21

    AD CS: Troubleshooting Cross-forest Certificate Enrollment

    Common problems and resolutions related to using AD CS for cross-forest certificate enrollment

    are described.

    PKI object synchronization issues If the PKI objects are not the same in all forests, a number of problems can occur during

    certificate enrollment. For example, domain members may receive errors indicating certificate

    template version number inconsistencies.

    You must ensure that the same set of PKI objects and certificate templates exist in all forests and

    that the attribute values on each object are the same across forests.

    To compare the objects in two forests, use the command .\PKISync.ps1 -sourceforest

    -targetforest -whatif. By using the whatif switch,

    the script will display the objects that would be copied but does not copy them. If the output for an

    object does not include the message "Object exists, use -f to overwrite", then the object exists

    in but not in .

    To display an objects attribute values, use the DumpADObj.ps1 script included in this guide.

    See AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment.

    To compare the attribute values of two objects in different forests, use DumpADObj.ps1 for

    each object. Use a program to compare the output files for the two objects. If WinDiff.exe is not

    included in the version of Windows you are using, see Windows XP Service Pack 2 Support

    Tools.

    To display the PKI objects in AD DS, use the command certutil viewstore [].

    To view root CA certificates, use cerutil viewstore "ldap:///CN=Certification

    Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=?cACertificate?one?objectClass=certificationAuthority" []

    To view enterprise CA certificates in the NTAuthCertificates container, use certutil

    viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=C

    onfiguration,DC=?cACertificate" []

    To view enterprise CA certificates in the AIA container, use certutil -viewstore

    "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=?cACertificate?one?objectClass=certificationAuthority" [].

  • 22

    Public key containers or default certificate templates deleted Problem: Default containers or certificate templates have been deleted from the Public key

    services container in AD DS.

    Resolution: , The default containers, objects and certificate templates can be installed to AD DS

    at any time by using the command certutil.exe installdefaulttemplates.

    Only the default containers, objects and certificate templates are installed. Custom certificate

    templates cannot be restored by using certutil.exe. You should also implement a backup solution

    for AD DS. See Active Directory Backup and Restore in Windows Server 2008 in Technet

    Magazine.

    Certutil connection errors when connecting to a CA Problem: When you run the commands certutil config -ca.cert

    or certutil config ping, the command fails and displays an error

    message:

    CertUtil: The RPC server is unavailable.

    OR

    CertUtil: Access is denied.

    Resolution: Add the user running the command to the CERTSVC_DCOM_ACCESS security

    group on the CA specified in .

    AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment

    PKISync.ps1 copies objects in the source forest to the target forest.

    In cross-forest AD CS deployments, use PKISync.ps1 during initial deployment and to keep

    resource and account forest PKI objects synchronized.

    Saving PKISync.ps1

    1. Click Copy Code at the top of the code section.

    2. Start Notepad.

    3. On the Edit menu, click Paste.

    4. On the File menu, click Save.

    To save PKISync.ps1 to a file

  • 23

    5. Type a path for the file, type the file name PKISync.ps1, and click Save.

    #

    # This script allows updating PKI objects in Active Directory for the

    # cross-forest certificate enrollment

    #

    #This sample script is not supported under any Microsoft standard support

    #program or service. This sample script is provided AS IS without warranty of

    #any kind. Microsoft further disclaims all implied warranties including,

    #without limitation, any implied warranties of merchantability or of fitness

    #for a particular purpose. The entire risk arising out of the use or

    #performance of the sample scripts and documentation remains with you. In no

    #event shall Microsoft, its authors, or anyone else involved in the creation,

    #production, or delivery of the scripts be liable for any damages whatsoever

    # (including, without limitation, damages for loss of business profits, business

    #interruption, loss of business information, or other pecuniary loss) arising

    #out of the use of or inability to use this sample script or documentation,

    #even if Microsoft has been advised of the possibility of such damages.

    #

    # Command line variables

    #

    $SourceForestName = ""

    $TargetForestName = ""

    $SourceDC = ""

    $TargetDC = ""

    $ObjectType = "all"

    $ObjectCN = $null

    $DryRun = $FALSE

    $DeleteOnly = $FALSE

    $OverWrite = $FALSE

    function ParseCommandLine()

  • 24

    {

    if (2 -gt $Script:args.Count)

    {

    write-warning "Not enough arguments"

    Usage

    exit 87

    }

    for($i = 0; $i -lt $Script:args.Count; $i++)

    {

    switch($Script:args[$i].ToLower())

    {

    -sourceforest

    {

    $i++

    $Script:SourceForestName = $Script:args[$i]

    }

    -targetforest

    {

    $i++

    $Script:TargetForestName = $Script:args[$i]

    }

    -cn

    {

    $i++

    $Script:ObjectCN = $Script:args[$i]

    }

    -type

    {

    $i++

    $Script:ObjectType = $Script:args[$i].ToLower()

    }

    -f

    {

  • 25

    $Script:OverWrite = $TRUE

    }

    -whatif

    {

    $Script:DryRun = $TRUE

    }

    -deleteOnly

    {

    $Script:DeleteOnly = $TRUE

    }

    -targetdc

    {

    $i++

    $Script:TargetDC = $Script:args[$i]

    }

    -sourcedc

    {

    $i++

    $Script:SourceDC = $Script:args[$i]

    }

    default

    {

    write-warning ("Unknown parameter: " + $Script:args[$i])

    Usage

    exit 87

    }

    }

    }

    }

    function Usage()

    {

    write-host ""

    write-host "Script to copy or delete PKI objects (default is copy)"

  • 26

    write-host ""

    write-host " Copy Command:"

    write-host ""

    write-host " .\PKISync.ps1 -sourceforest -targetforest

    [-sourceDC ] [-targetDC ] [-type

    [-cn ]] [-f] [-whatif]"

    write-host ""

    write-host " Delete Command:"

    write-host ""

    write-host " .\PKISync.ps1 -targetforest [-targetDC ]

    [-type [-cn ]] [-deleteOnly] [-whatif]"

    write-host ""

    write-host "-sourceforest -- DNS of the forest to process object from"

    write-host "-targetforest -- DNS of the forest to process object to"

    write-host "-sourcedc -- DNS of the DC in the source forest to process

    object from"

    write-host "-targetdc -- DNS of the DC in the target forest to process

    object to"

    write-host "-type -- Type of object to process, if omitted then all

    object types are processed"

    write-host " CA -- Process CA object(s)"

    write-host " Template -- Process Template object(s)"

    write-host " OID -- Process OID object(s)"

    write-host '-cn -- Common name of the object to process, do not

    include the cn= (ie "User" and not "CN=User"'

    write-host " This option is only valid if -type is also

    specified"

    write-host "-f -- Force overwrite of existing objects when

    copying. Ignored when deleting."

    write-host "-whatif -- Display what object(s) will be processed

    without processing"

    write-host "-deleteOnly -- Will delete object in the target forest if it

    exists"

    write-host ""

    write-host ""

    }

  • 27

    #

    # Build a list of attributes to copy for some object type

    #

    function GetSchemaSystemMayContain($ForestContext, $ObjectType)

    {

    #

    # first get all attributes that are part of systemMayContain list

    #

    $SchemaDE =

    [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest

    Context, $ObjectType).GetDirectoryEntry()

    $SystemMayContain = $SchemaDE.systemMayContain

    #

    # if schema was upgraded with adprep.exe, we need to check mayContain list as well

    #

    if($null -ne $SchemaDE.mayContain)

    {

    $MayContain = $SchemaDE.mayContain

    foreach($attr in $MayContain)

    {

    $SystemMayContain.Add($attr)

    }

    }

    #

    # special case some of the inherited attributes

    #

    if (-1 -eq $SystemMayContain.IndexOf("displayName"))

    {

    $SystemMayContain.Add("displayName")

    }

    if (-1 -eq $SystemMayContain.IndexOf("flags"))

  • 28

    {

    $SystemMayContain.Add("flags")

    }

    if ($objectType.ToLower().Contains("template") -and -1 -eq

    $SystemMayContain.IndexOf("revision"))

    {

    $SystemMayContain.Add("revision")

    }

    return $SystemMayContain

    }

    #

    # Copy or delete all objects of some type

    #

    function ProcessAllObjects($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN)

    {

    $SourceObjectsDE = $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN)

    $ObjectCN = $null

    foreach($ChildNode in $SourceObjectsDE.psbase.get_Children())

    {

    # if some object failed, we will try to continue with the rest

    trap

    {

    # CN maybe null here, but its ok. Doing best effort.

    write-warning ("Error while coping an object. CN=" + $ObjectCN)

    write-warning $_

    write-warning $_.InvocationInfo.PositionMessage

    continue

    }

    $ObjectCN = $ChildNode.psbase.Properties["cn"]

    ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE $RelativeDN $ObjectCN

  • 29

    $ObjectCN = $null

    }

    }

    #

    # Copy or delete an object

    #

    function ProcessObject($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN,

    $ObjectCN)

    {

    $SourceObjectContainerDE =

    $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN)

    $TargetObjectContainerDE =

    $TargetPKIServicesDE.psbase.get_Children().find($RelativeDN)

    #

    # when copying make sure there is an object to copy

    #

    if($FALSE -eq $Script:DeleteOnly)

    {

    $DSSearcher =

    [System.DirectoryServices.DirectorySearcher]$SourceObjectContainerDE

    $DSSearcher.Filter = "(cn=" +$ObjectCN+")"

    $SearchResult = $DSSearcher.FindAll()

    if (0 -eq $SearchResult.Count)

    {

    write-host ("Source object does not exist: CN=" + $ObjectCN + "," +

    $RelativeDN)

    return

    }

    $SourceObjectDE = $SourceObjectContainerDE.psbase.get_Children().find("CN=" +

    $ObjectCN)

    }

  • 30

    #

    # Check to see if the target object exists, if it does delete if overwrite is

    enabled.

    # Also delete is this a deletion only operation.

    #

    $DSSearcher = [System.DirectoryServices.DirectorySearcher]$TargetObjectContainerDE

    $DSSearcher.Filter = "(cn=" +$ObjectCN+")"

    $SearchResult = $DSSearcher.FindAll()

    if ($SearchResult.Count -gt 0)

    {

    $TargetObjectDE = $TargetObjectContainerDE.psbase.get_Children().find("CN=" +

    $ObjectCN)

    if($Script:DeleteOnly)

    {

    write-host ("Deleting: " + $TargetObjectDE.DistinguishedName)

    if($FALSE -eq $DryRun)

    {

    $TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE)

    }

    return

    }

    elseif ($Script:OverWrite)

    {

    write-host ("OverWriting: " + $TargetObjectDE.DistinguishedName)

    if($FALSE -eq $DryRun)

    {

    $TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE)

    }

    }

    else

    {

    write-warning ("Object exists, use -f to overwrite. Object: " +

    $TargetObjectDE.DistinguishedName)

  • 31

    return

    }

    }

    else

    {

    if($Script:DeleteOnly)

    {

    write-warning ("Can't delete object. Object doesn't exist. Object: " +

    $ObjectCN + ", " + $TargetObjectContainerDE.DistinguishedName)

    return

    }

    else

    {

    write-host ("Copying Object: " + $SourceObjectDE.DistinguishedName)

    }

    }

    #

    # Only update the object if this is not a dry run

    #

    if($FALSE -eq $DryRun -and $FALSE -eq $Script:DeleteOnly)

    {

    #Create new AD object

    $NewDE = $TargetObjectContainerDE.psbase.get_Children().Add("CN=" + $ObjectCN,

    $SourceObjectDE.psbase.SchemaClassName)

    #Obtain systemMayContain for the object type from the AD schema

    $ObjectMayContain = GetSchemaSystemMayContain $SourceForestContext

    $SourceObjectDE.psbase.SchemaClassName

    #Copy attributes defined in the systemMayContain for the object type

    foreach($Attribute in $ObjectMayContain)

    {

    $AttributeValue = $SourceObjectDE.psbase.Properties[$Attribute].Value

    if ($null -ne $AttributeValue)

  • 32

    {

    $NewDE.psbase.Properties[$Attribute].Value = $AttributeValue

    $NewDE.psbase.CommitChanges()

    }

    }

    #Copy secuirty descriptor to new object. Only DACL is copied.

    $BinarySecurityDescriptor =

    $SourceObjectDE.psbase.ObjectSecurity.GetSecurityDescriptorBinaryForm()

    $NewDE.psbase.ObjectSecurity.SetSecurityDescriptorBinaryForm($BinarySecurityDescriptor,

    [System.Security.AccessControl.AccessControlSections]::Access)

    $NewDE.psbase.CommitChanges()

    }

    }

    #

    # Get parent container for all PKI objects in the AD

    #

    function

    GetPKIServicesContainer([System.DirectoryServices.ActiveDirectory.DirectoryContext]

    $ForestContext, $dcName)

    {

    $ForObj =

    [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)

    $DE = $ForObj.RootDomain.GetDirectoryEntry()

    if("" -ne $dcName)

    {

    $newPath = [System.Text.RegularExpressions.Regex]::Replace($DE.psbase.Path,

    "LDAP://\S*/", "LDAP://" + $dcName + "/")

    $DE = New-Object System.DirectoryServices.DirectoryEntry $newPath

    }

    $PKIServicesContainer = $DE.psbase.get_Children().find("CN=Public Key

    Services,CN=Services,CN=Configuration")

  • 33

    return $PKIServicesContainer

    }

    #########################################################

    # Main script code

    #########################################################

    #

    # All errors are fatal by default unless there is another 'trap' with 'continue'

    #

    trap

    {

    write-error "The script has encoutnered a fatal error. Terminating script."

    break

    }

    ParseCommandLine

    #

    # Get a hold of the containers in each forest

    #

    write-host ("Target Forest: " + $TargetForestName.ToUpper())

    $TargetForestContext = New-Object

    System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $TargetForestName

    $TargetPKIServicesDE = GetPKIServicesContainer $TargetForestContext $Script:TargetDC

    # Only need source forest when copying

    if($FALSE -eq $Script:DeleteOnly)

    {

    write-host ("Source Forest: " + $SourceForestName.ToUpper())

    $SourceForestContext = New-Object

    System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $SourceForestName

    $SourcePKIServicesDE = GetPKIServicesContainer $SourceForestContext $Script:SourceDC

    }

  • 34

    else

    {

    $SourcePKIServicesDE = $TargetPKIServicesDE

    }

    if("" -ne $ObjectType) {write-host ("Object Category to process: " +

    $ObjectType.ToUpper())}

    #

    # Process the command

    #

    switch($ObjectType.ToLower())

    {

    all

    {

    write-host ("Enrollment Serverices Container")

    ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services"

    write-host ("Certificate Templates Container")

    ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate

    Templates"

    write-host ("OID Container")

    ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID"

    }

    ca

    {

    if($null -eq $ObjectCN)

    {

    ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment

    Services"

    }

    else

    {

    ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment

    Services" $ObjectCN

  • 35

    }

    }

    oid

    {

    if($null -eq $ObjectCN)

    {

    ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID"

    }

    else

    {

    ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" $ObjectCN

    }

    }

    template

    {

    if($null -eq $ObjectCN)

    {

    ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate

    Templates"

    }

    else

    {

    ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate

    Templates" $ObjectCN

    }

    }

    default

    {

    write-warning ("Unknown object type: " + $ObjectType.ToLower())

    Usage

    exit 87

    }

    }

  • 36

    Subsection Heading

    Insert subsection body here.

    AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment

    Use DumpADObj.ps1 to display attribute values of an object in the specified AD DS forest.

    In cross-forest Active Directory Certificate Services (AD CS) deployments, use DumpADObj.ps1

    to troubleshoot certificate enrollment or PKI object synchronization problems.

    The program LDIFDE.EXE is required for DumpADObj.ps1 to access objects in AD DS.

    Saving DumpADObj.ps1

    1. Click Copy Code at the top of the code section.

    2. Start Notepad.

    3. On the Edit menu, click Paste.

    4. On the File menu, click Save.

    5. Type a path for the file, type the file name DumpADObj.ps1, and click Save.

    #

    # This script dumps certificate template/CA information using ldifde.exe

    #

    #

    # Command line arguments

    #

    $ForestName = ""

    $DCName = ""

    $ObjectType = ""

    $ObjectName = ""

    $OutFile = ""

    function ParseCommandLine()

    {

    To save DumpADObj.ps1 to a file

  • 37

    if (10 -gt $Script:args.Count)

    {

    write-warning "Not enough arguments"

    Usage

    exit 87

    }

    for($i = 0; $i -lt $Script:args.Count; $i++)

    {

    switch($Script:args[$i].ToLower())

    {

    -forest

    {

    $i++

    $Script:ForestName = $Script:args[$i]

    }

    -dc

    {

    $i++

    $Script:DCName = $Script:args[$i]

    }

    -type

    {

    $i++

    $Script:ObjectType = $Script:args[$i]

    }

    -cn

    {

    $i++

    $Script:ObjectName = $Script:args[$i]

    }

    -file

    {

    $i++

  • 38

    $Script:OutFile = $Script:args[$i]

    }

    default

    {

    write-warning ("Unknown parameter: " + $Script:args[$i])

    Usage

    exit 87

    }

    }

    }

    }

    function Usage()

    {

    write-host ""

    write-host "Script to display attribute values of certificate template or CA object

    in AD"

    write-host ""

    write-host "dumpadobj.ps1 -forest -dc -type -cn

    -file "

    write-host ""

    write-host "-forest -- DNS of the forest to process object from"

    write-host "-dc -- DNS or NetBios name of the DC to target"

    write-host "-type -- Template or CA"

    write-host "-cn -- Template or CA name"

    write-host "-file -- Output file"

    write-host ""

    }

    #########################################################

    # Main script code

    #########################################################

    #

  • 39

    # All errors are fatal by default unless there is anoter 'trap' with 'continue'

    #

    trap

    {

    write-error "The script has encountered a fatal error. Terminating script."

    break

    }

    ParseCommandLine

    write-host ""

    write-host "Effective settings:"

    write-host ""

    write-host " Forest: $ForestName"

    write-host " DC: $DCName"

    write-host " Type: $ObjectType"

    write-host " Name: $ObjectName"

    write-host " File: $OutFile"

    write-host ""

    #

    # Set type specific variables

    #

    switch($ObjectType.ToLower())

    {

    "template"

    {

    $ObjectContainerCN = ",CN=Certificate Templates"

    $ObjectSchema = "pKICertificateTemplate"

    }

    "ca"

    {

    $ObjectContainerCN = ",CN=Enrollment Services"

    $ObjectSchema = "pKIEnrollmentService"

  • 40

    }

    default

    {

    write-warning ("Unknown object type: " + $ObjectType)

    Usage

    exit 87

    }

    }

    #

    # Build full DN for the object

    #

    $ForestDN = "DC=" + $ForestName.Replace(".", ",DC=")

    $ObjectFullDN = "CN=" + $ObjectName + $ObjectContainerCN + ",CN=Public Key

    Services,CN=Services,CN=Configuration," + $ForestDN

    #

    # Build list of attributes to display

    #

    $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext

    Forest, $ForestName

    $SchemaDE =

    [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest

    Context, $ObjectSchema).GetDirectoryEntry()

    $AttrList = $SchemaDE.systemMayContain

    if($null -ne $SchemaDE.mayContain)

    {

    $MayContain = $SchemaDE.mayContain

    foreach($attr in $MayContain)

    {

    [void]$AttrList.Add($attr)

    }

    }

  • 41

    if (-1 -eq $AttrList.IndexOf("displayName"))

    {

    [void]$AttrList.Add("displayName")

    }

    if (-1 -eq $AttrList.IndexOf("flags"))

    {

    [void]$AttrList.Add("flags")

    }

    if ($ObjectType.ToLower().Equals("template") -and -1 -eq $AttrList.IndexOf("revision"))

    {

    [void]$AttrList.Add("revision")

    }

    $SB = New-Object System.Text.StringBuilder

    for($i = 0; $i -lt $AttrList.Count; $i++)

    {

    [void]$SB.Append($AttrList[$i])

    if($i -lt ($AttrList.Count - 1))

    {

    [void]$SB.Append(",")

    }

    }

    $AttrListString = $SB.ToString()

    #

    # Build command line and execute

    #

    $CommandLine = "-d """ + $ObjectFullDN + """ -p Base -l """ + $AttrListString + """ -f

    """ + $OutFile + """ -s " + $DCName

    Invoke-Expression "ldifde.exe $CommandLine" > ldifde.out.txt

    type "$OutFile"

  • 42

    Online Version

    AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

    http://technet.microsoft.com/en-us/library/ff955842.aspx


Recommended