1

Looking for help on material for setting up a multi tiered/cross-forest PKI Infrastructure. The only articles I can come across are just setting up the basic two tier systems on one domain.

Basically we have a management domain (we buy companies every year it seems so we have this to help the consolidation process along). Lets call this domain1.com. We successfully setup a CA in domain1.com in two tier format (offline root with online enterprise subca).

subca.domain1.com

Right now I am not sure how to get the new domain coming in, domain2.com, so get certs from the domain1.com subca. Microsoft said that I need to create a subca for each different domain that tie back to domain1.com

subca.domain2.com

Does this sound right? How do I configure subca.domain2.com to publish certs into the domain2.com domain controllers when the root authority is in domain1? The end deliverable is to start doing LDAPS in domain2.com. Thanks to anyone who can point me in the right direction...

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Matthew Dartez
  • 61
  • 1
  • 1
  • 10

1 Answers1

3

Microsoft position is correct, but needs a clarification: generally you need to deploy a separate CA server for each *forest*. For example, you don't need to deploy a separate CA in the corp.domain1.com domain, for example.

Eventually, there are two supported solutions:

  1. like Microsoft said, you have to deploy a separate CA in the each acquired AD forest. In this case, each CA there is a separate authority and can issue certificates only to respective forest clients.

  2. by having Windows Server 2008 R2 (or newer) as a CA in the parent forest, you can establish a cross-forest certificate enrollment: AD CS: Deploying Cross-forest Certificate Enrollment. This requires a two-way trust between forests. This will allow to use CA server that is located in the parent forest to deploy certificates to all trusted forest clients.

either option requires some administrative efforts. But if you are going to migrate acquired forests to parent forest, or manage them centrally, I would go with option 2. Otherwise, if each forest will have their dedicated IT personell, option 1 would be more suitable.

Also, I would like to recall that there are Enrollment Web Services, that simplify certificate enrollment process across forests. You even don't need to perform AD PKI object synchronization, because clients will use CEP/CES servers for enrollment purposes.

Crypt32
  • 6,639
  • 1
  • 15
  • 33