Export (0) Print
Expand All

AD CS: Managing Cross-forest Certificate Enrollment

Updated: January 2, 2012

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

TipTip
Starting with Windows Server 2008 R2, you can utilize Certificate Enrollment Web Services to provide certificates across forests that do not require forest trust relationships. For a lab demonstration of such a configuration using Windows Server® 2012, see the Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services.

Because cross-forest certificate enrollment requires that PKI objects in all forests are the same, it is necessary to copy PKI objects from the resource forest to the account forests whenever PKI objects in the resource forest are changed.

You can perform this maintenance manually by completing the procedure described in Copying PKI objects to account forests.

However, because manual processes are prone to error and might not be completed regularly or when PKI objects changed, it is recommended to use an automated process based on the PKISync.ps1 script and examples provided in this guide.

Two examples of automation are described in this topic:

The simplest method for maintaining PKI objects for cross-forest ceriticate enrollment is to run the PKISync.ps1 script in a scheduled task.

For best results the task should run frequently. Because PKI objects are not changed frequently, copying them to account forests once daily should work well in most environments.

For information on using scheduled tasks, see

Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events that indicate a change to PKI objects.

You must configure auditing on CAs for some AD CS events to be recorded in the event log.

Complete the following procedure on each CA you want to monitor.

  1. Start an MMC console and add the Group Policy Object Editor for the local computer.

  2. In the tree view, click Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

  3. In the details pane, double-click Audit object access.

  4. Click Success, then click OK.

  5. Start the Certification Authority snap-in.

  6. In the tree view, right-click your CA and click Properties.

  7. Click the Auditing tab.

  8. Click Change CA configuration and Change CA security settings, then click OK.

  9. Restart the CA service by using the command sc stop certsvc && sc start certsvc.

The following table lists events you can monitor.

 

Event Id Event log Event source Description

26

Application

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services for %1 was started.

4882

Security

Microsoft-Windows-Security-Auditing

The security permissions for Certificate Services changed.

4892

Security

Microsoft-Windows-Security-Auditing

Certificate Services loaded a template.

4899

Security

Microsoft-Windows-Security-Auditing

A Certificate Services template was updated.

4892

Security

Microsoft-Windows-Security-Auditing

A property of Certificate Services changed.

Detailed instructions for configuring automation are not provided in this document.

Use the guidance and script provided in this document and any of the following systems to develop a solution that meets the requirements of your organization:

  • System Center Operations Manager can be used to monitor your CAs for events and alert administrators or run custom scripts or code in response to specified events.

  • Windows and Directory Access APIs can be used to subscribe to events on your CA and run custom code to manage PKI objects in AD.

  • Microsoft Forefront Identity Manager or Microsoft Identify Lifecycle Manager can be used to synchronize PKI objects in account forests with objects in the resource forest. See Microsoft Forefront Identity Manager.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft