AD CS (PKI ) – Cross Forest Enrollment In ADCS !!TOP!! The product team worked hard to make this breakthrough functionality happen in Windows Server 2008 R2 . Now is the time to evaluate cross forest certificate enrollment in your test environment. If you have specific feedback on the whitepaper, feel free to add your comments to this blog entry. From the abstract: Windows Server 2008 R2 allows enterprises to issue digital certificates from an enterprise Certification Authority (CA) to the clients that are members of a different Active Directory (AD) forest. This process is called cross-forest certificate enrollment. This white paper will explain how the cross-forest certificate enrollment works. It will also provide deployment guidance for new and existing Active Directory Certificate Services (ADCS) deployments. The paper will cover strategies for consolidating existing certificate templates that may be already in use in the enterprise. It will present choices for ongoing management of the cross-forest certificates deployment. A PowerShell script is also provided to facilitate management tasks related to setting up and maintaining cross-forest certificate enrollment environment. Going next to the Certificate Authority, FAS uses DCOM calls that are specific to Windows Certificate Authorities. Third-party or public Certificate Authorities cannot be used. Multiple CA details can be specified within the FAS console for high availability. A central Certificate Authority can support multiple domains via cross-forest enrollment. Along the same lines, StoreFront, FAS, and the VDAs all mutually authenticate via Kerberos and, therefore, must either be in the same domain or domains that have a two-way trust between them. Windows 2012 Server provides several methods for enrolling certificates: two of these are the Certificate Enrollment Policy (CEP) and Certificate EnrollmentService (CES). The CEP web service enables users and computers to obtain certificate enrollment policy information. This information includes what types ofcertificates can be requested and what CAs can issue them. CES provides another web service that allows users and computers to perform certificate enrollment byusing the hypertext transfer protocol secure (https). To separate traffic, the CES can be installed on a computer that is separate from the CA. Together withthe CEP web service, CES enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is notconnected to the domain. CEP/CES also enables cross-forest, policy-based certificate enrollment. From the perspective of AD, Identity Management represents a separate AD forest with a single AD domain. When cross-forest trust between an AD forest root domain and an IdM domain is established, users from the AD forest domains can interact with Linux machines and services from the IdM domain. When you use the ipa trust-add command to establish a cross-forest trust with an Active Directory (AD) Domain Controller (DC), the command operates on behalf of the user who ran the command and performs the following actions on the IdM server. If you have trouble establishing a cross-forest trust, you can use this list to help narrow down and troubleshoot your issue. By default, IdM establishes a one-way trust to AD, which means it is not possible to issue cross-realm ticket-granting ticket (TGT) for resources in an AD forest. To be able to request tickets to services from trusted AD domains, configure a two-way trust. I was rebuilding my test environment with new W2K12 installations while keeping my AD domains. I had two AD forests, one called ADCORP.LAB and one called ADDMZ.LAN. ADCORP.LAB had ADCS installed on one of the RWDCs (remember, this is a TEST environment!). ADDMZ.LAN did not have ADCS installed at all. To be able to use certificates on both sides and also play with cross-certification I decided to also install ADCS on one of the RWDCs in ADDMZ.LAN.