AD CS Cross Forest

Cross-forest Certificate Enrollment with Windows Server 2008 R2

Microsoft Corporation

Published: August 31, 2010

Abstract

Windows Server 2008 R2 allows enterprises to issue digital certificates from an enterprise

Certification Authority (CA) to the clients that are members of a different Active Directory Domain

Services (AD DS) forest. This process is called cross-forest certificate enrollment. This white

paper will explain how the cross-forest certificate enrollment works. It will also provide

deployment guidance for new and existing Active Directory Certificate Services (AD CS)

deployments. The paper will cover strategies for consolidating existing certificate templates that

may be already in use in the enterprise. It will present choices for ongoing management of the

cross-forest certificates deployment. A PowerShell script is also provided to facilitate

management tasks related to setting up and maintaining cross-forest certificate enrollment

environment.

Copyright Information This document is provided for informational purposes only and Microsoft makes no warranties,

either express or implied, in this document. Information in this document, including URL and

other Internet Web site references, is subject to change without notice. The entire risk of the use

or the results from the use of this document remains with the user. Unless otherwise noted, the

example companies, organizations, products, domain names, e-mail addresses, logos, people,

places, and events depicted herein are fictitious, and no association with any real company,

organization, product, domain name, e-mail address, logo, person, place, or event is intended or

should be inferred. Complying with all applicable copyright laws is the responsibility of the user.

Without limiting the rights under copyright, no part of this document may be reproduced, stored in

or introduced into a retrieval system, or transmitted in any form or by any means (electronic,

mechanical, photocopying, recording, or otherwise), or for any purpose, without the express

written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

2008 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, and Windows Server are trademarks of the Microsoft group of

companies.

All other trademarks are property of their respective owners.

Contents

AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 ................................... 4

Technical requirements ................................................................................................................ 4

Terms used in this guide .............................................................................................................. 4

New AD CS deployments for cross-forest certificate enrollment ................................................. 5

Consolidated AD CS deployments for cross-forest certificate enrollment ................................... 6

AD CS: Deploying Cross-forest Certificate Enrollment ................................................................... 8

Deploying AD CS for cross-forest certificate enrollment .............................................................. 9

Consolidating certificate templates from multiple forests ........................................................... 11

Copying account forest certificate templates into the resource forest .................................... 11

Consolidating certificate templates with similar purposes from multiple account forests ....... 13

Consolidating version 2 and version 3 default certificate templates ....................................... 15

Consolidating version 1 default certificate templates ............................................................. 16

Copying PKI objects to account forests ..................................................................................... 17

Support for CA Web Enrollment ................................................................................................. 18

Decommissioning CAs in account forests .................................................................................. 18

AD CS: Managing Cross-forest Certificate Enrollment.................................................................. 19

Using a scheduled task .............................................................................................................. 19

Monitoring AD CS events ........................................................................................................... 19

Using automation ....................................................................................................................... 20

AD CS: Troubleshooting Cross-forest Certificate Enrollment ....................................................... 21

PKI object synchronization issues .............................................................................................. 21

Public key containers or default certificate templates deleted ................................................... 22

Certutil connection errors when connecting to a CA .................................................................. 22

AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment ............................................. 22

Saving PKISync.ps1 ................................................................................................................... 22

Subsection Heading ................................................................................................................ 36

AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment ....................................... 36

Saving DumpADObj.ps1 ............................................................................................................ 36

Online Version ............................................................................................................................... 42

4

AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

Guidance, procedures and scripts for configuring cross-forest certificate enrollment with Windows

Server 2008 R2 in a multiforest environment.

Cross-forest enrollment enables enterprises to deploy a central PKI in one Active

Directory Domain Services (AD DS) forest that issues certificates to domain members in other

forests.

Enterprises with existing per-forest AD CS deployments can reduce the number of CAs by

consolidating certificate templates from multiple forests into a single PKI that serves all forests.

Enterprises with multiforest environments and no PKI can deploy AD CS in one forest to provide

enrollment services to all forests.

Technical requirements Two-way forest trusts between a resource forest and account forests.

One or more enterprise CAs running on Windows Server 2008 R2.

Domain member computers in all forests running the following operating systems:

Windows XP

Windows Server 2003

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Terms used in this guide Resource forest is an AD DS forest in a multiforest environment that is designated to host

enterprise CAs running on Windows Server 2008 R2 to enable certificate enrollment for domain

members in all forests. The resource forest is considered the master copy of PKI objects stored

across all forests.

Account forest is an AD DS forest with domain members that enroll for certificates from an

enterprise CA in the resource forest.

5

New AD CS deployments for cross-forest certificate enrollment This section describes an example scenario for deploying AD CS for cross-forest enrollment in an

enterprise that has little or no PKI.

Example scenario 1 Contoso, Ltd is a large enterprise with multiple AD DS forests, as illustrated

in Fig 1. They have not deployed AD CS because of the increased costs associated with

deploying and managing a complete AD CS deployment in each forest.

Fig 1. Example multiforest deployment without AD CS

Because AD CS in Windows Server 2008 R2 supports cross-forest certificate enrollment,

Contoso Ltd can deploy AD CS in one forest that enables certificate enrollment from domain

members in all forests. Figure 2 illustrates a two-tier PKI in Forest A which allows domain

members from all forests to enroll for certificates from the enterprise CA in Forest A.

6

Fig 2. Example multiforest deployment with enterprise CA providing cross-forest

certificate enrollment

Consolidated AD CS deployments for cross-forest certificate enrollment Example scenario 2 Contoso, Ltd is a global holding company that has implemented AD CS in a

multiforest environment. Because of Contoso, Ltds corporate structure, it is necessary to deploy

one forest per subsidiary company. With no support for cross-forest certificate enrollment, AD CS

was deployed in each forest. A standalone root CA was deployed to be a central trusted root for

the PKI and domain members in all forests. The enterprise CA certificates in each forest and all

certificates issued to domain members in all forests have a certification path ending at the trusted

root CA certificate.

7

Fig 3. Example multiforest enterprise with per-forest AD CS deployment

With the availability of Windows Server 2008 R2, it is possible to consolidate multiple per-forest

AD CS deployments into a single AD CS deployment that enables certificate enrollment from

domain members in all forests. By using fewer CAs, Contoso can lower total PKI management

costs.

8

Fig 4. Example multiforest deployment with enterprise CA providing cross-forest

certificate enrollment.

AD CS: Deploying Cross-forest Certificate Enrollment

This topic provides guidance and procedures for deploying CAs and configuring AD CS for cross-

forest certificate enrollment in a multiforest environment.

To deploy AD CS for cross-forest certificate enrollment, complete the procedures in the following

sections of this guide:

Deploying AD CS for cross-forest certificate enrollment describes procedures for deploying

and configuring AD CS and PKI objects in AD DS. Procedures in this section are used for

both deployment scenarios.

9

Consolidating certificate templates from multiple forests describes procedures for

consolidating certificate templates from multiple per-forest AD CS deployments into a single

PKI. Consolidation tasks are not required for new AD CS deployments.

Copying PKI objects to account forests describes procedures and scripts for copying PKI

objects from AD in the resource forest to account forests. The procedures described for

copying PKI objects to account forests are required for new AD CS deployments and

consolidated deployments. After deployment, the procedures for copying PKI objects can be

used to distribute certificate templates from the resource forest to the account forests, which

is necessary to maintain consistency of PKI objects in all forests.

Deploying AD CS for cross-forest certificate enrollment Review this entire guide and plan your deployment.

Test your deployment plan in a lab or other non-production environment.

Review this guide again with the test results and improve your plan before production

deployment.

Complete the procedure to deploy and configure AD CS for both cross-forest scenarios: New

AD CS deployments and Consolidated AD CS deployments.

To deploy and configure AD CS

1. Designate a resource forest. All other forests participating in cross-forest certificate

enrollment are account forests. AD CS is deployed in the resource forest to provide certificate

enrollment services to domain members in all account forests.

When consolidating AD CS deployments from multiple forests, you can designate an existing

account forest as the resource forest. In many cases, the forest with the largest number of

CAs is the best candidate for being designated a resource forest.

Alternatively, a resource forest can be used solely for management of account forests and

hosting AD CS for cross-forest enrollment. Two-way trusts between the resource forest and

each account forest are required but trust relationships between account forests are not

required for cross-forest enrollment.

2. Create a two-way forest trust between the resource forest and account forests. See

Create a two-way, forest trust for both sides of the trust.

If Selective Authentication is required for the forest trust, the following permissions

are required:

Domain member computers and users in account forests must have Allow authenticate

permissions to the enterprise CAs in the resource forest.

Enterprise CAs in the resource forest must have Allow authenticate permissions to the

domain controllers in each account forest.

Administrators that run the scripts provided with this guide must have Allow

authenticate permissions to the domain controllers in all forests. For example, if the

Notes

10

scripts are run on a domain member computer in the resource forest, the administrator

must have Allow authenticate permissions in each account forest.

3. Establish a root CA in the resource forest by deploying a new root CA or by designating

an existing standalone or enterprise root CA.

4. Install or upgrade one or more enterprise CAs running on Windows Server 2008 R2 in the

resource forest.

Depending on your environment, the degree to which you are using existing PKI

resources, and your level of experience with AD CS, the following references might

be helpful for planning a new AD CS deployment or migrating existing AD CS

deployments to Windows Server 2008 R2.

AD CS Advanced Lab Scenario

Active Directory Certificate Services Migration Guide

5. Enable LDAP referral support on enterprise CAs. Start a command prompt, type certutil -

setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER.

6. Add enterprise CA computer accounts to Cert Publishers group in each account

forest. See example procedures at Add a member to a group. Restart the CA by using net

stop certsvc && net start certsvc.

7. Configure authority information access and CRL distribution point locations. See

Specify CA certificate access points in issued certificates. In addition to specifying the

access point locations in certificate templates, you must ensure that the network locations

specified in certificates are online and are accessible from domain members in all resource

forests. The locations can be either LDAP or HTTP depending on your certificate template

configuration. See Configuring Certificate Revocation.

8. Publish the root CA certificate from the resource forest to the account forests by using

Certutil.exe at a command prompt to run the following commands:

a. certutil -config \ -ca.cert

If you run the command on the root CA you can omit the connection information, -config

\.

b. certutil -dspublish -f RootCA

9. Publish enterprise CA certificates from the resource forest into the NTAuthCertificates

and AIA containers in each account forest.


b. certutil -dspublish -f NTAuthCA

c. certutil -dspublish -f SubCA

Next, you must prepare certificate templates for the certificates required by domain member

computers and users in all forests.

If you are performing a new AD CS deployment, the default certificate templates in the resource

forest can be used or custom templates can be created to meet your requirements.

Notes

11

Review the list of Default certificate templates.

Creating custom certificate templates requires that you have the required information and

technical understanding to configure all required certificate template properties. For more

information,

To use the default certificate templates in the resource forest, skip the section on Consolidating

certificate templates and continue at Copying PKI objects to account forests.

To customize the default certificate templates, see Creating Certificate Templates. Continue at

Copying PKI objects to account forests after you are finished customizing the certificate

templates in the resource forest.

If you are consolidating AD CS from multiple forests that have custom certificate templates which

you must continue to use, then review the next section, Consolidating certificate templates from

multiple forests, and complete the procedures that best meet your requirements.

Consolidating certificate templates from multiple forests Because AD CS deployments can vary greatly, the exact steps you must take to consolidate your

existing certificate templates cannot be described in this guide.

The goal is to reduce the number of CAs and certificate templates in a multiforest environment by

creating a set of certificate templates issued by resource forest CAs that provide certificates to

domain members in all forests.

Based on the number of forests and certificate templates in your environment, the timeframe you

have to complete AD CS consolidation, and the requirements of your organization, you can use a

combination of procedures described in this section to define the set of certificate templates

issued by your resource forest CAs.

For each certificate template you plan to issue from the resource forest, consider which of the

following methods best meets the goals and requirements of your organization and complete the

procedures described in that section.

Copying account forest certificate templates into the resource forest

Consolidating certificate templates with similar purposes from multiple account forests

Consolidating version 2 and version 3 default certificate templates

Consolidating version 1 default certificate templates

The procedures described in this section require the Windows Powershell script PKISync.ps1.

Complete the procedure To Save PKISync.ps1 to a file.

Copying account forest certificate templates into the resource forest

The simplest way to consolidate AD CS from multiple forests into a single resource forest is to

copy the certificate templates from all account forests into the resource forest and configure

12

AD CS to issue certificates from the resource forest. Because all certificate templates remain

available, the rate of certificate enrollment remains steady and there is no impact to users.

This method reduces the number of CAs in the enterprise but the resource forest might have

multiple certificate templates for some types of certificates; for example, if certificate templates for

S/MIME certificates are copied from multiple account forests into the resource forest.

Complete the procedures from a domain member computer that has access to the resource and

account forests. Log on using an account with permissions to update AD objects in resource and

account forests. Members of Domain Admins and Enterprise Admins group have the required

permissions.

The procedure must be completed for each certificate template you want to copy into the

resource forest. You cannot copy multiple certificate templates simultaneously.

1. Start Windows Powershell. Change the current directory to the location of the

PKISync.ps1 script.

2. Copy the certificate template from the account forest by using the command

.\PKISync.ps1 -sourceforest -targetforest -type Template -cn .

Note

If a certificate template in the resource forest has the same name as the

certificate template you want to copy from the account forest, you must rename

the certificate template in the account forest before copying the template to the

resource forest. See Rename a Certificate Template.

3. Copy the OID container from the account forest by using the command

.\PKISync.ps1 -sourceforest -targetforest -type Oid f and press ENTER.

4. Grant administrators permissions on the certificate template in the resource forest.

Grant Full control to Enterprise admins group, which is the equivalent of default

certificate template permissions. Alternatively, you can define custom permissions

according to your organizations security policy. See the Security Tab section of

Extensions Tab.

5. Grant domain members permissions on the certificate template in the resource

forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The

access control list defined on the certificate template in the account forest is preserved

during the copy operation, but you should verify permissions are correct and grant

permissions to additional users in other account forests as needed. See the Security

Tab section of Administering Certificate Templates.

6. Publish the root CA certificate from the account forest to the resource forest by using

Certutil.exe at a command prompt to run the following commands:


If you are logged on to the CA you can omit the connection information, -config

To copy certificate templates from an account forest to the resource forest

13

\ to connect to the local CA.

b. certutil -dspublish -f RootCA

7. Publish enterprise CA certificates from the account forest into the

NTAuthCertificates and AIA containers in the resource forest.

a. certutil -config \ -

ca.cert

b. certutil -dspublish -f NTAuthCA

c. certutil -dspublish -f SubCA

Note

Steps 6 and 7 are required because renewal requests can be signed by

certificates issued by CAs in the account forests. The CA certificates from the

account forests are required for issued certificates from account forests to be

valid in the resource forest.

8. Assign the certificate template to an enterprise CA in the resource forest. See Add

a Certificate Template to a Certification Authority.

9. Copy the assigned enterprise CA object from the resource forest by using the

command .\PKISync.ps1 -sourceforest -targetforest

-type CA -cn f. To

determine the CA sanitized name, log on to the CA, start a command prompt, type

Certutil.exe and press ENTER. The sanitized name is displayed in the command output.

10. Copy the certificate template object from the resource forest by using the command

.\PKISync.ps1 -sourceforest -targetforest -type Template -cn f.

11. Remove the old certificate template from enterprise CAs in the account forest by

using the Certification Authority snap-in. Click Certificate Templates, right-click the

old certificate template, and click Delete.

Consolidating certificate templates with similar purposes from multiple account forests

Instead of combining certificate templates from all account forests and managing redundant

certificate templates (as described in the previous section), you can minimize the number of

certificate templates in the resource forest by reviewing the certificate templates issued in each

account forest based on cryptographic purpose and certificate template properties. Define a set of

certificate templates for the resource forest that can replace all certificate templates in the

account forests.

When consolidating certificate templates from multiple account forests into a single set of

templates in the resource forest, two approaches are available.

1. Stop issuing certificates in account forests by removing all certificate templates from account

forest CAs, and publish certificate templates in the resource forest for all certificate types

required in the account forests. Because certificates issued in the account forest remain valid

until they expire, this method does not cause a spike in certificate enrollment and has low

14

user impact. However, until existing certificates issued by the account forest expire, two valid

certificates for the same purpose are found in a users certificate store which might result in a

user prompt for certificate selection and possibly increased help desk calls. Additionally, you

must continue to publish CRLs and CA certificates for the account forest PKI.

2. Publish certificate templates in the resource forest which supersede certificate templates in

account forests, and force immediate reenrollment. This method causes a spike in certificate

enrollment because all domain members will enroll for the new certificate within a short

period of time. However, AD CS resources in account forests can be decommissioned

sooner.

The procedure To consolidate certificate templates can be used for both approaches. Steps

for superseding are noted.

Complete the procedures from a domain member computer that has access to the resource and

account forests. Log on using an account with permissions to update AD objects in resource and

account forests. Members of Domain Admins and Enterprise Admins group have the required

permissions.

The procedure must be completed for each certificate template type you want to issue from the

resource forest.

1. Copy certificate templates from account forests by using the command

.\PKISync.ps1 -sourceforest -targetforest -type Template -cn .

2. Copy the OID container from account forests by using the command .\PKISync.ps1 -

sourceforest -targetforest -type Oid

f.

3. If you are superseding certificate templates from account forests, repeat steps 1

and 2 for all certificate templates in account forests that are superseded by the new

certificate template in the resource forest.

4. Duplicate a certificate template you copied from an account forest, and customize

if necessary. See Creating Certificate Templates.





Extensions Tab.


forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The

access control list defined on the certificate template in the account forest is preserved

during the copy operation, but you should verify permissions are correct and grant

permissions to additional users in other account forests as needed. See the Security

Tab section of Administering Certificate Templates.

7. (Optional) Supersede certificate templates from account forests by using the

Certificate Templates snap-in to add all superseded certificate templates from account

To consolidate certificate templates

15

forests to the Superseded templates tab on the certificate template properties sheet.

See Supersede Templates.





-type CA -cn f. To



Note

If you are superseding certificate templates from account forests, repeat steps 9

through 12 for each account forest you copied certificate templates from in step

1.



11. Copy the OID container from the resource forest by using the command

.\PKISync.ps1 -sourceforest -targetforest -type Oid f.




Consolidating version 2 and version 3 default certificate templates

Because default certificate templates have the same names in all forests, the simplest approach

to consolidating version 2 and version 3 default certificate templates from multiple forests is to

use the default certificate templates in the resource forest and stop issuing certificates based on

the default templates in the account forests. Because certificates issued in the account forest

remain valid until they expire, this method does not cause a spike in certificate enrollment and

has low user impact. However, until existing certificates issued by the account forest expire, two

valid certificates for the same purpose in a users profile might result in a user prompt for

certificate selection which could cause increased help desk calls. Additionally, you must continue

to publish CRLs and CA certificates for the account forest.

Alternatively, you can supersede existing certificates in account forests by creating new certificate

templates in the resource forest and configuring them to supersede certificate templates in all

account forests. This method causes a spike in certificate enrollment because all domain

members will enroll for the new certificate within a short period of time. This method causes a

spike in certificate enrollment because all domain members will enroll for the new certificate

16

within a short period of time, however AD CS resources in account forests can be

decommissioned immediately.

1. Duplicate a version 2 or version 3 default certificate template, and customize if

necessary. See Creating Certificate Templates.





Extensions Tab.


forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all

account forests. See the Security Tab section of Administering Certificate Templates.

4. (Optional) Supersede certificate templates from account forests by using the

Certificate Templates snap-in to add all superseded certificate templates from account

forests to the Superseded templates tab on the certificate template properties sheet.

See Supersede Templates.





-type CA -cn f. To



Note

If you are superseding certificate templates from account forests, repeat steps 6

through 9 for each account forest you copied certificate templates from in step 1.








Consolidating version 1 default certificate templates

For each version 1 default certificate you want to issue, complete the following procedure.

To consolidate version 2 and version 3 default certificate templates

17


forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all

account forests. See the Security Tab section of Administering Certificate Templates.





-type CA -cn f. To










Copying PKI objects to account forests Certificate enrollment objects in AD DS environments are stored in three containers which must

be copied from the resource forest to account forests to maintain consistency across all forests

that are participating in cross-forest certificate enrollment. A Windows Powershell script is

provided for copying and managing the following PKI objects in AD.

Enrollment services

Certificate templates

OID

In cross-forest enrollment deployments described in this guide, the resource forest is the master

copy of PKI objects. The PKI objects described in this section must be the same in all forests.

To maintain consistency across all forests, copy PKI objects in the resource forest should to

account forests frequently. Scripts and examples for automated copying are described in AD CS:

Managing Cross-forest Certificate Enrollment.

You can use PKISync.ps1 during initial deployment and to keep resource and account forest PKI

objects synchronized.

PKISync.ps1 copies objects in the source forest to the target forest. Objects in the source forest

are not changed by script operations.

To consolidate version 1 default certificate templates

18

CA certificates are not copied by PKISync.ps1. When CA certificates are renewed, you must

manually publish the CA certificates to account forests by using the commands described in

Deploying AD CS for cross-forest certificate enrollment.

First, complete the procedure to save PKISync.ps1 to a file, as described in AD CS: PKISync.ps1

Script for Cross-forest Certificate Enrollment

Next, complete the following procedure.

1. Start Windows Powershell.

2. Type .\PKISync.ps1 -sourceforest -targetforest

[-f] and press ENTER. When copying from the resource forest,

is the DNS name of the resource forest and is

the DNS name of an account forest.

Warning

[-f] is an optional argument. When [-f] is used, objects in

are deleted and replaced by objects with the same name from

. When [-f] is not used, you are prompted to confirm before

objects are deleted.

3. Repeat for each account forest.

Support for CA Web Enrollment The following table describes the support for using CA web enrollment with CAs in the resource

forest that are configured for cross-forest certificate enrollment.

Forest CA web

enrollment is hosted in

CA web enrollment

installed on CA

Type of delegation Is supported

Resource Yes Not required Yes

Resource No Computer Yes

Resource No Constrained Yes

Account No Computer Yes

Account No Constrained No

Decommissioning CAs in account forests A goal of deploying cross-forest certificate enrollment is to reduce the number of CAs in an

enterprise.

To copy PKI objects by using PKISync.ps1

19

After certificate templates have been removed from a CA in an account forest, the CA can be

decommissioned.

Complete the procedures described in section Removing a CA from Active Directory in CA

Maintenance.

AD CS: Managing Cross-forest Certificate Enrollment

Because cross-forest certificate enrollment requires that PKI objects in all forests are the same, it

is necessary to copy PKI objects from the resource forest to the account forests whenever PKI

objects in the resource forest are changed.

You can perform this maintenance manually by completing the procedure described in Copying

PKI objects to account forests.

However, because manual processes are prone to error and might not be completed regularly or

when PKI objects changed, it is recommended to use an automated process based on the

PKISync.ps1 script and examples provided in this guide.

Two examples of automation are described in this topic:

Using a scheduled task

Monitoring AD CS events

Using a scheduled task The simplest method for maintaining PKI objects for cross-forest ceriticate enrollment is to run the

PKISync.ps1 script in a scheduled task.

For best results the task should run frequently. Because PKI objects are not changed frequently,

copying them to account forests once daily should work well in most environments.

For information on using scheduled tasks, see

Monitoring AD CS events Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events

that indicate a change to PKI objects.

You must configure auditing on CAs for some AD CS events to be recorded in the event log.

Complete the following procedure on each CA you want to monitor.

1. Start an MMC console and add the Group Policy Object Editor for the local computer.

2. In the tree view, click Computer Configuration\Windows Settings\Security

Settings\Local Policies\Audit Policy.

To enable AD CS event auditing

20

3. In the details pane, double-click Audit object access.

4. Click Success, then click OK.

5. Start the Certification Authority snap-in.

6. In the tree view, right-click your CA and click Properties.

7. Click the Auditing tab.

8. Click Change CA configuration and Change CA security settings, then click OK.

9. Restart the CA service by using the command sc stop certsvc && sc start certsvc.

The following table lists events you can monitor.

Event Id Event log Event source Description

26 Application Microsoft-Windows-

CertificationAuthority

Active Directory Certificate

Services for %1 was

started.

4882 Security Microsoft-Windows-

Security-Auditing

The security permissions

for Certificate Services

changed.


Security-Auditing

Certificate Services loaded

a template.


Security-Auditing

A Certificate Services

template was updated.


Security-Auditing

A property of Certificate

Services changed.

Using automation Detailed instructions for configuring automation are not provided in this document.

Use the guidance and script provided in this document and any of the following systems to

develop a solution that meets the requirements of your organization:

System Center Operations Manager can be used to monitor your CAs for events and alert

administrators or run custom scripts or code in response to specified events.

Windows and Directory Access APIs can be used to subscribe to events on your CA and

run custom code to manage PKI objects in AD.

Microsoft Forefront Identity Manger or Microsoft Identify Lifecycle Manager can be used to

synchronize PKI objects in account forests with objects in the resource forest. See Microsoft

Forefront Identity Manager.

21

AD CS: Troubleshooting Cross-forest Certificate Enrollment

Common problems and resolutions related to using AD CS for cross-forest certificate enrollment

are described.

PKI object synchronization issues If the PKI objects are not the same in all forests, a number of problems can occur during

certificate enrollment. For example, domain members may receive errors indicating certificate

template version number inconsistencies.

You must ensure that the same set of PKI objects and certificate templates exist in all forests and

that the attribute values on each object are the same across forests.

To compare the objects in two forests, use the command .\PKISync.ps1 -sourceforest

-targetforest -whatif. By using the whatif switch,

the script will display the objects that would be copied but does not copy them. If the output for an

object does not include the message "Object exists, use -f to overwrite", then the object exists

in but not in .

To display an objects attribute values, use the DumpADObj.ps1 script included in this guide.

See AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment.

To compare the attribute values of two objects in different forests, use DumpADObj.ps1 for

each object. Use a program to compare the output files for the two objects. If WinDiff.exe is not

included in the version of Windows you are using, see Windows XP Service Pack 2 Support

Tools.

To display the PKI objects in AD DS, use the command certutil viewstore [].

To view root CA certificates, use cerutil viewstore "ldap:///CN=Certification

Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=?cACertificate?one?objectClass=certificationAuthority" []

To view enterprise CA certificates in the NTAuthCertificates container, use certutil

viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=C

onfiguration,DC=?cACertificate" []

To view enterprise CA certificates in the AIA container, use certutil -viewstore

"ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=?cACertificate?one?objectClass=certificationAuthority" [].

22

Public key containers or default certificate templates deleted Problem: Default containers or certificate templates have been deleted from the Public key

services container in AD DS.

Resolution: , The default containers, objects and certificate templates can be installed to AD DS

at any time by using the command certutil.exe installdefaulttemplates.

Only the default containers, objects and certificate templates are installed. Custom certificate

templates cannot be restored by using certutil.exe. You should also implement a backup solution

for AD DS. See Active Directory Backup and Restore in Windows Server 2008 in Technet

Magazine.

Certutil connection errors when connecting to a CA Problem: When you run the commands certutil config -ca.cert

or certutil config ping, the command fails and displays an error

message:

CertUtil: The RPC server is unavailable.

OR

CertUtil: Access is denied.

Resolution: Add the user running the command to the CERTSVC_DCOM_ACCESS security

group on the CA specified in .

AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment

PKISync.ps1 copies objects in the source forest to the target forest.

In cross-forest AD CS deployments, use PKISync.ps1 during initial deployment and to keep

resource and account forest PKI objects synchronized.

Saving PKISync.ps1

1. Click Copy Code at the top of the code section.

2. Start Notepad.

3. On the Edit menu, click Paste.

4. On the File menu, click Save.

To save PKISync.ps1 to a file

23

5. Type a path for the file, type the file name PKISync.ps1, and click Save.

#

# This script allows updating PKI objects in Active Directory for the

# cross-forest certificate enrollment

#

#This sample script is not supported under any Microsoft standard support

#program or service. This sample script is provided AS IS without warranty of

#any kind. Microsoft further disclaims all implied warranties including,

#without limitation, any implied warranties of merchantability or of fitness

#for a particular purpose. The entire risk arising out of the use or

#performance of the sample scripts and documentation remains with you. In no

#event shall Microsoft, its authors, or anyone else involved in the creation,

#production, or delivery of the scripts be liable for any damages whatsoever

# (including, without limitation, damages for loss of business profits, business

#interruption, loss of business information, or other pecuniary loss) arising

#out of the use of or inability to use this sample script or documentation,

#even if Microsoft has been advised of the possibility of such damages.

#

# Command line variables

#

$SourceForestName = ""

$TargetForestName = ""

$SourceDC = ""

$TargetDC = ""

$ObjectType = "all"

$ObjectCN = $null

$DryRun = $FALSE

$DeleteOnly = $FALSE

$OverWrite = $FALSE

function ParseCommandLine()

24

{

if (2 -gt $Script:args.Count)

{

write-warning "Not enough arguments"

Usage

exit 87

}

for($i = 0; $i -lt $Script:args.Count; $i++)

{

switch($Script:args[$i].ToLower())

{

-sourceforest

{

$i++

$Script:SourceForestName = $Script:args[$i]

}

-targetforest

{

$i++

$Script:TargetForestName = $Script:args[$i]

}

-cn

{

$i++

$Script:ObjectCN = $Script:args[$i]

}

-type

{

$i++

$Script:ObjectType = $Script:args[$i].ToLower()

}

-f

{

25

$Script:OverWrite = $TRUE

}

-whatif

{

$Script:DryRun = $TRUE

}

-deleteOnly

{

$Script:DeleteOnly = $TRUE

}

-targetdc

{

$i++

$Script:TargetDC = $Script:args[$i]

}

-sourcedc

{

$i++

$Script:SourceDC = $Script:args[$i]

}

default

{

write-warning ("Unknown parameter: " + $Script:args[$i])

Usage

exit 87

}

}

}

}

function Usage()

{

write-host ""

write-host "Script to copy or delete PKI objects (default is copy)"

26

write-host ""

write-host " Copy Command:"

write-host ""

write-host " .\PKISync.ps1 -sourceforest -targetforest

[-sourceDC ] [-targetDC ] [-type

[-cn ]] [-f] [-whatif]"

write-host ""

write-host " Delete Command:"

write-host ""

write-host " .\PKISync.ps1 -targetforest [-targetDC ]

[-type [-cn ]] [-deleteOnly] [-whatif]"

write-host ""

write-host "-sourceforest -- DNS of the forest to process object from"

write-host "-targetforest -- DNS of the forest to process object to"

write-host "-sourcedc -- DNS of the DC in the source forest to process

object from"

write-host "-targetdc -- DNS of the DC in the target forest to process

object to"

write-host "-type -- Type of object to process, if omitted then all

object types are processed"

write-host " CA -- Process CA object(s)"

write-host " Template -- Process Template object(s)"

write-host " OID -- Process OID object(s)"

write-host '-cn -- Common name of the object to process, do not

include the cn= (ie "User" and not "CN=User"'

write-host " This option is only valid if -type is also

specified"

write-host "-f -- Force overwrite of existing objects when

copying. Ignored when deleting."

write-host "-whatif -- Display what object(s) will be processed

without processing"

write-host "-deleteOnly -- Will delete object in the target forest if it

exists"

write-host ""

write-host ""

}

27

#

# Build a list of attributes to copy for some object type

#

function GetSchemaSystemMayContain($ForestContext, $ObjectType)

{

#

# first get all attributes that are part of systemMayContain list

#

$SchemaDE =

[System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest

Context, $ObjectType).GetDirectoryEntry()

$SystemMayContain = $SchemaDE.systemMayContain

#

# if schema was upgraded with adprep.exe, we need to check mayContain list as well

#

if($null -ne $SchemaDE.mayContain)

{

$MayContain = $SchemaDE.mayContain

foreach($attr in $MayContain)

{

$SystemMayContain.Add($attr)

}

}

#

# special case some of the inherited attributes

#

if (-1 -eq $SystemMayContain.IndexOf("displayName"))

{

$SystemMayContain.Add("displayName")

}

if (-1 -eq $SystemMayContain.IndexOf("flags"))

28

{

$SystemMayContain.Add("flags")

}

if ($objectType.ToLower().Contains("template") -and -1 -eq

$SystemMayContain.IndexOf("revision"))

{

$SystemMayContain.Add("revision")

}

return $SystemMayContain

}

#

# Copy or delete all objects of some type

#

function ProcessAllObjects($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN)

{

$SourceObjectsDE = $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN)

$ObjectCN = $null

foreach($ChildNode in $SourceObjectsDE.psbase.get_Children())

{

# if some object failed, we will try to continue with the rest

trap

{

# CN maybe null here, but its ok. Doing best effort.

write-warning ("Error while coping an object. CN=" + $ObjectCN)

write-warning $_

write-warning $_.InvocationInfo.PositionMessage

continue

}

$ObjectCN = $ChildNode.psbase.Properties["cn"]

ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE $RelativeDN $ObjectCN

29

$ObjectCN = $null

}

}

#

# Copy or delete an object

#

function ProcessObject($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN,

$ObjectCN)

{

$SourceObjectContainerDE =

$SourcePKIServicesDE.psbase.get_Children().find($RelativeDN)

$TargetObjectContainerDE =

$TargetPKIServicesDE.psbase.get_Children().find($RelativeDN)

#

# when copying make sure there is an object to copy

#

if($FALSE -eq $Script:DeleteOnly)

{

$DSSearcher =

[System.DirectoryServices.DirectorySearcher]$SourceObjectContainerDE

$DSSearcher.Filter = "(cn=" +$ObjectCN+")"

$SearchResult = $DSSearcher.FindAll()

if (0 -eq $SearchResult.Count)

{

write-host ("Source object does not exist: CN=" + $ObjectCN + "," +

$RelativeDN)

return

}

$SourceObjectDE = $SourceObjectContainerDE.psbase.get_Children().find("CN=" +

$ObjectCN)

}

30

#

# Check to see if the target object exists, if it does delete if overwrite is

enabled.

# Also delete is this a deletion only operation.

#

$DSSearcher = [System.DirectoryServices.DirectorySearcher]$TargetObjectContainerDE

$DSSearcher.Filter = "(cn=" +$ObjectCN+")"

$SearchResult = $DSSearcher.FindAll()

if ($SearchResult.Count -gt 0)

{

$TargetObjectDE = $TargetObjectContainerDE.psbase.get_Children().find("CN=" +

$ObjectCN)

if($Script:DeleteOnly)

{

write-host ("Deleting: " + $TargetObjectDE.DistinguishedName)

if($FALSE -eq $DryRun)

{

$TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE)

}

return

}

elseif ($Script:OverWrite)

{

write-host ("OverWriting: " + $TargetObjectDE.DistinguishedName)

if($FALSE -eq $DryRun)

{

$TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE)

}

}

else

{

write-warning ("Object exists, use -f to overwrite. Object: " +

$TargetObjectDE.DistinguishedName)

31

return

}

}

else

{

if($Script:DeleteOnly)

{

write-warning ("Can't delete object. Object doesn't exist. Object: " +

$ObjectCN + ", " + $TargetObjectContainerDE.DistinguishedName)

return

}

else

{

write-host ("Copying Object: " + $SourceObjectDE.DistinguishedName)

}

}

#

# Only update the object if this is not a dry run

#

if($FALSE -eq $DryRun -and $FALSE -eq $Script:DeleteOnly)

{

#Create new AD object

$NewDE = $TargetObjectContainerDE.psbase.get_Children().Add("CN=" + $ObjectCN,

$SourceObjectDE.psbase.SchemaClassName)

#Obtain systemMayContain for the object type from the AD schema

$ObjectMayContain = GetSchemaSystemMayContain $SourceForestContext

$SourceObjectDE.psbase.SchemaClassName

#Copy attributes defined in the systemMayContain for the object type

foreach($Attribute in $ObjectMayContain)

{

$AttributeValue = $SourceObjectDE.psbase.Properties[$Attribute].Value

if ($null -ne $AttributeValue)

32

{

$NewDE.psbase.Properties[$Attribute].Value = $AttributeValue

$NewDE.psbase.CommitChanges()

}

}

#Copy secuirty descriptor to new object. Only DACL is copied.

$BinarySecurityDescriptor =

$SourceObjectDE.psbase.ObjectSecurity.GetSecurityDescriptorBinaryForm()

$NewDE.psbase.ObjectSecurity.SetSecurityDescriptorBinaryForm($BinarySecurityDescriptor,

[System.Security.AccessControl.AccessControlSections]::Access)

$NewDE.psbase.CommitChanges()

}

}

#

# Get parent container for all PKI objects in the AD

#

function

GetPKIServicesContainer([System.DirectoryServices.ActiveDirectory.DirectoryContext]

$ForestContext, $dcName)

{

$ForObj =

[System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)

$DE = $ForObj.RootDomain.GetDirectoryEntry()

if("" -ne $dcName)

{

$newPath = [System.Text.RegularExpressions.Regex]::Replace($DE.psbase.Path,

"LDAP://\S*/", "LDAP://" + $dcName + "/")

$DE = New-Object System.DirectoryServices.DirectoryEntry $newPath

}

$PKIServicesContainer = $DE.psbase.get_Children().find("CN=Public Key

Services,CN=Services,CN=Configuration")

33

return $PKIServicesContainer

}

#########################################################

# Main script code

#########################################################

#

# All errors are fatal by default unless there is another 'trap' with 'continue'

#

trap

{

write-error "The script has encoutnered a fatal error. Terminating script."

break

}

ParseCommandLine

#

# Get a hold of the containers in each forest

#

write-host ("Target Forest: " + $TargetForestName.ToUpper())

$TargetForestContext = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $TargetForestName

$TargetPKIServicesDE = GetPKIServicesContainer $TargetForestContext $Script:TargetDC

# Only need source forest when copying

if($FALSE -eq $Script:DeleteOnly)

{

write-host ("Source Forest: " + $SourceForestName.ToUpper())

$SourceForestContext = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $SourceForestName

$SourcePKIServicesDE = GetPKIServicesContainer $SourceForestContext $Script:SourceDC

}

34

else

{

$SourcePKIServicesDE = $TargetPKIServicesDE

}

if("" -ne $ObjectType) {write-host ("Object Category to process: " +

$ObjectType.ToUpper())}

#

# Process the command

#

switch($ObjectType.ToLower())

{

all

{

write-host ("Enrollment Serverices Container")

ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services"

write-host ("Certificate Templates Container")

ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate

Templates"

write-host ("OID Container")

ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID"

}

ca

{

if($null -eq $ObjectCN)

{

ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment

Services"

}

else

{

ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment

Services" $ObjectCN

35

}

}

oid

{


{

ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID"

}

else

{

ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" $ObjectCN

}

}

template

{


{

ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate

Templates"

}

else

{

ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate

Templates" $ObjectCN

}

}

default

{

write-warning ("Unknown object type: " + $ObjectType.ToLower())

Usage

exit 87

}

}

36

Subsection Heading

Insert subsection body here.

AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment

Use DumpADObj.ps1 to display attribute values of an object in the specified AD DS forest.

In cross-forest Active Directory Certificate Services (AD CS) deployments, use DumpADObj.ps1

to troubleshoot certificate enrollment or PKI object synchronization problems.

The program LDIFDE.EXE is required for DumpADObj.ps1 to access objects in AD DS.

Saving DumpADObj.ps1

1. Click Copy Code at the top of the code section.

2. Start Notepad.

3. On the Edit menu, click Paste.

4. On the File menu, click Save.

5. Type a path for the file, type the file name DumpADObj.ps1, and click Save.

#

# This script dumps certificate template/CA information using ldifde.exe

#

#

# Command line arguments

#

$ForestName = ""

$DCName = ""

$ObjectType = ""

$ObjectName = ""

$OutFile = ""

function ParseCommandLine()

{

To save DumpADObj.ps1 to a file

37

if (10 -gt $Script:args.Count)

{

write-warning "Not enough arguments"

Usage

exit 87

}

for($i = 0; $i -lt $Script:args.Count; $i++)

{

switch($Script:args[$i].ToLower())

{

-forest

{

$i++

$Script:ForestName = $Script:args[$i]

}

-dc

{

$i++

$Script:DCName = $Script:args[$i]

}

-type

{

$i++

$Script:ObjectType = $Script:args[$i]

}

-cn

{

$i++

$Script:ObjectName = $Script:args[$i]

}

-file

{

$i++

38

$Script:OutFile = $Script:args[$i]

}

default

{

write-warning ("Unknown parameter: " + $Script:args[$i])

Usage

exit 87

}

}

}

}

function Usage()

{

write-host ""

write-host "Script to display attribute values of certificate template or CA object

in AD"

write-host ""

write-host "dumpadobj.ps1 -forest -dc -type -cn

-file "

write-host ""

write-host "-forest -- DNS of the forest to process object from"

write-host "-dc -- DNS or NetBios name of the DC to target"

write-host "-type -- Template or CA"

write-host "-cn -- Template or CA name"

write-host "-file -- Output file"

write-host ""

}

#########################################################

# Main script code

#########################################################

#

39

# All errors are fatal by default unless there is anoter 'trap' with 'continue'

#

trap

{

write-error "The script has encountered a fatal error. Terminating script."

break

}

ParseCommandLine

write-host ""

write-host "Effective settings:"

write-host ""

write-host " Forest: $ForestName"

write-host " DC: $DCName"

write-host " Type: $ObjectType"

write-host " Name: $ObjectName"

write-host " File: $OutFile"

write-host ""

#

# Set type specific variables

#

switch($ObjectType.ToLower())

{

"template"

{

$ObjectContainerCN = ",CN=Certificate Templates"

$ObjectSchema = "pKICertificateTemplate"

}

"ca"

{

$ObjectContainerCN = ",CN=Enrollment Services"

$ObjectSchema = "pKIEnrollmentService"

40

}

default

{

write-warning ("Unknown object type: " + $ObjectType)

Usage

exit 87

}

}

#

# Build full DN for the object

#

$ForestDN = "DC=" + $ForestName.Replace(".", ",DC=")

$ObjectFullDN = "CN=" + $ObjectName + $ObjectContainerCN + ",CN=Public Key

Services,CN=Services,CN=Configuration," + $ForestDN

#

# Build list of attributes to display

#

$ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext

Forest, $ForestName

$SchemaDE =

[System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest

Context, $ObjectSchema).GetDirectoryEntry()

$AttrList = $SchemaDE.systemMayContain

if($null -ne $SchemaDE.mayContain)

{

$MayContain = $SchemaDE.mayContain

foreach($attr in $MayContain)

{

[void]$AttrList.Add($attr)

}

}

41

if (-1 -eq $AttrList.IndexOf("displayName"))

{

[void]$AttrList.Add("displayName")

}

if (-1 -eq $AttrList.IndexOf("flags"))

{

[void]$AttrList.Add("flags")

}

if ($ObjectType.ToLower().Equals("template") -and -1 -eq $AttrList.IndexOf("revision"))

{

[void]$AttrList.Add("revision")

}

$SB = New-Object System.Text.StringBuilder

for($i = 0; $i -lt $AttrList.Count; $i++)

{

[void]$SB.Append($AttrList[$i])

if($i -lt ($AttrList.Count - 1))

{

[void]$SB.Append(",")

}

}

$AttrListString = $SB.ToString()

#

# Build command line and execute

#

$CommandLine = "-d """ + $ObjectFullDN + """ -p Base -l """ + $AttrListString + """ -f

""" + $OutFile + """ -s " + $DCName

Invoke-Expression "ldifde.exe $CommandLine" > ldifde.out.txt

type "$OutFile"

42

Online Version

AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

http://technet.microsoft.com/en-us/library/ff955842.aspx

Date post:	10-Oct-2015
Category:	Documents
Upload:	sorin-constantinescu
View:	421 times
Download:	49 times

AD CS Cross Forest

Documents