I am looking to deploy a multi-forest Microsoft CA between 2 domains (one-way trust) Domain A will be the resource forest while B will be the account forest (A trusts B but B doesn't trust A) Will there be any implications involved? I have done some research and found that it is possible even for no trust via Cert enrollment web service but it is rather tedious to deploy. Will it be any different for one-way trust between domains? Thanks!
Asked
Active
Viewed 203 times
1 Answers
0
Enrollment Web Services technically do not require trust between forests, but it will be very limited and you loose automatic initial certificate provisioning (via autoenrollment) option and will require account information copy from account forest to resource forest. The most flexible authentication mechanism which requires less administrative and deployment efforts is Kerberos and it requires a two-way forest trust.
Crypt32
- 6,639
- 1
- 15
- 33
-
thanks for the clarification! – ba zhang Mar 01 '21 at 01:50