Cross-forest Certificate Enrollment with Windows Server 2008 R2

Microsoft Corporation Published: August 31, 2010

Abstract
Windows Server 2008 R2 allows enterprises to issue digital certificates from an enterprise Certification Authority (CA) to the clients that are members of a different Active Directory Domain Services (AD DS) forest. This process is called cross-forest certificate enrollment. This white paper will explain how the cross-forest certificate enrollment works. It will also provide deployment guidance for new and existing Active Directory Certificate Services (AD CS) deployments. The paper will cover strategies for consolidating existing certificate templates that may be already in use in the enterprise. It will present choices for ongoing management of the cross-forest certificates deployment. A PowerShell script is also provided to facilitate management tasks related to setting up and maintaining cross-forest certificate enrollment environment.

Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 ................................... 4 Technical requirements ................................................................................................................ 4 Terms used in this guide .............................................................................................................. 4 New AD CS deployments for cross-forest certificate enrollment ................................................. 5 Consolidated AD CS deployments for cross-forest certificate enrollment ................................... 6 AD CS: Deploying Cross-forest Certificate Enrollment ................................................................... 8 Deploying AD CS for cross-forest certificate enrollment .............................................................. 9 Consolidating certificate templates from multiple forests ........................................................... 11 Copying account forest certificate templates into the resource forest .................................... 11 Consolidating certificate templates with similar purposes from multiple account forests ....... 13 Consolidating version 2 and version 3 default certificate templates ....................................... 15 Consolidating version 1 default certificate templates ............................................................. 16 Copying PKI objects to account forests ..................................................................................... 17 Support for CA Web Enrollment ................................................................................................. 18 Decommissioning CAs in account forests .................................................................................. 18 AD CS: Managing Cross-forest Certificate Enrollment.................................................................. 19 Using a scheduled task .............................................................................................................. 19 Monitoring AD CS events ........................................................................................................... 19 Using automation ....................................................................................................................... 20 AD CS: Troubleshooting Cross-forest Certificate Enrollment ....................................................... 21 PKI object synchronization issues .............................................................................................. 21 Public key containers or default certificate templates deleted ................................................... 22 Certutil connection errors when connecting to a CA .................................................................. 22 AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment ............................................. 22 Saving PKISync.ps1 ................................................................................................................... 22 Subsection Heading ................................................................................................................ 36 AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment ....................................... 36 Saving DumpADObj.ps1 ............................................................................................................ 36 Online Version ............................................................................................................................... 42

AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2

Guidance, procedures and scripts for configuring cross-forest certificate enrollment with Windows Server 2008 R2 in a multiforest environment. Cross-forest enrollment enables enterprises to deploy a central PKI in one Active Directory Domain Services (AD DS) forest that issues certificates to domain members in other forests. Enterprises with existing per-forest AD CS deployments can reduce the number of CAs by consolidating certificate templates from multiple forests into a single PKI that serves all forests. Enterprises with multiforest environments and no PKI can deploy AD CS in one forest to provide enrollment services to all forests.

Technical requirements
Two-way forest trusts between a resource forest and account forests. One or more enterprise CAs running on Windows Server 2008 R2. Domain member computers in all forests running the following operating systems: Windows XP Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2

Terms used in this guide

Resource forest is an AD DS forest in a multiforest environment that is designated to host enterprise CAs running on Windows Server 2008 R2 to enable certificate enrollment for domain members in all forests. The resource forest is considered the master copy of PKI objects stored across all forests. Account forest is an AD DS forest with domain members that enroll for certificates from an enterprise CA in the resource forest.

New AD CS deployments for cross-forest certificate enrollment

This section describes an example scenario for deploying AD CS for cross-forest enrollment in an enterprise that has little or no PKI. Example scenario 1 Contoso, Ltd is a large enterprise with multiple AD DS forests, as illustrated in Fig 1. They have not deployed AD CS because of the increased costs associated with deploying and managing a complete AD CS deployment in each forest.

Fig 1. Example multiforest deployment without AD CS Because AD CS in Windows Server 2008 R2 supports cross-forest certificate enrollment, Contoso Ltd can deploy AD CS in one forest that enables certificate enrollment from domain members in all forests. Figure 2 illustrates a two-tier PKI in Forest A which allows domain members from all forests to enroll for certificates from the enterprise CA in Forest A.

Fig 2. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment

Consolidated AD CS deployments for cross-forest certificate enrollment

Example scenario 2 Contoso, Ltd is a global holding company that has implemented AD CS in a multiforest environment. Because of Contoso, Ltds corporate structure, it is necessary to deploy one forest per subsidiary company. With no support for cross-forest certificate enrollment, AD CS was deployed in each forest. A standalone root CA was deployed to be a central trusted root for the PKI and domain members in all forests. The enterprise CA certificates in each forest and all certificates issued to domain members in all forests have a certification path ending at the trusted root CA certificate.

Fig 3. Example multiforest enterprise with per-forest AD CS deployment With the availability of Windows Server 2008 R2, it is possible to consolidate multiple per-forest AD CS deployments into a single AD CS deployment that enables certificate enrollment from domain members in all forests. By using fewer CAs, Contoso can lower total PKI management costs.

Fig 4. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment.

AD CS: Deploying Cross-forest Certificate Enrollment

This topic provides guidance and procedures for deploying CAs and configuring AD CS for crossforest certificate enrollment in a multiforest environment. To deploy AD CS for cross-forest certificate enrollment, complete the procedures in the following sections of this guide: Deploying AD CS for cross-forest certificate enrollment describes procedures for deploying and configuring AD CS and PKI objects in AD DS. Procedures in this section are used for both deployment scenarios.

Consolidating certificate templates from multiple forests describes procedures for consolidating certificate templates from multiple per-forest AD CS deployments into a single PKI. Consolidation tasks are not required for new AD CS deployments. Copying PKI objects to account forests describes procedures and scripts for copying PKI objects from AD in the resource forest to account forests. The procedures described for copying PKI objects to account forests are required for new AD CS deployments and consolidated deployments. After deployment, the procedures for copying PKI objects can be used to distribute certificate templates from the resource forest to the account forests, which is necessary to maintain consistency of PKI objects in all forests.

Deploying AD CS for cross-forest certificate enrollment

Review this entire guide and plan your deployment. Test your deployment plan in a lab or other non-production environment. Review this guide again with the test results and improve your plan before production deployment. Complete the procedure to deploy and configure AD CS for both cross-forest scenarios: New AD CS deployments and Consolidated AD CS deployments. To deploy and configure AD CS 1. Designate a resource forest. All other forests participating in cross-forest certificate enrollment are account forests. AD CS is deployed in the resource forest to provide certificate enrollment services to domain members in all account forests. When consolidating AD CS deployments from multiple forests, you can designate an existing account forest as the resource forest. In many cases, the forest with the largest number of CAs is the best candidate for being designated a resource forest. Alternatively, a resource forest can be used solely for management of account forests and hosting AD CS for cross-forest enrollment. Two-way trusts between the resource forest and each account forest are required but trust relationships between account forests are not required for cross-forest enrollment. 2. Create a two-way forest trust between the resource forest and account forests. See Create a two-way, forest trust for both sides of the trust. Notes If Selective Authentication is required for the forest trust, the following permissions are required: Domain member computers and users in account forests must have Allow authenticate permissions to the enterprise CAs in the resource forest. Enterprise CAs in the resource forest must have Allow authenticate permissions to the domain controllers in each account forest. Administrators that run the scripts provided with this guide must have Allow authenticate permissions to the domain controllers in all forests. For example, if the 9

scripts are run on a domain member computer in the resource forest, the administrator must have Allow authenticate permissions in each account forest. 3. Establish a root CA in the resource forest by deploying a new root CA or by designating an existing standalone or enterprise root CA. 4. Install or upgrade one or more enterprise CAs running on Windows Server 2008 R2 in the resource forest. Notes Depending on your environment, the degree to which you are using existing PKI resources, and your level of experience with AD CS, the following references might be helpful for planning a new AD CS deployment or migrating existing AD CS deployments to Windows Server 2008 R2. AD CS Advanced Lab Scenario Active Directory Certificate Services Migration Guide

5. Enable LDAP referral support on enterprise CAs. Start a command prompt, type certutil setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER. 6. Add enterprise CA computer accounts to Cert Publishers group in each account forest. See example procedures at Add a member to a group. Restart the CA by using net stop certsvc && net start certsvc. 7. Configure authority information access and CRL distribution point locations. See Specify CA certificate access points in issued certificates. In addition to specifying the access point locations in certificate templates, you must ensure that the network locations specified in certificates are online and are accessible from domain members in all resource forests. The locations can be either LDAP or HTTP depending on your certificate template configuration. See Configuring Certificate Revocation. 8. Publish the root CA certificate from the resource forest to the account forests by using Certutil.exe at a command prompt to run the following commands: a. certutil -config <Computer-Name>\<Root-CA-Name> -ca.cert <root-ca-certfilename.cer> If you run the command on the root CA you can omit the connection information, -config <Computer-Name>\<Root-CA-Name>. b. certutil -dspublish -f <root-ca-cert-filename.cer> RootCA 9. Publish enterprise CA certificates from the resource forest into the NTAuthCertificates and AIA containers in each account forest. a. certutil -config <Computer-Name>\<Enterprise-CA-Name> -ca.cert <enterprise-cacert-filename.cer> b. certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAuthCA c. certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA Next, you must prepare certificate templates for the certificates required by domain member computers and users in all forests. If you are performing a new AD CS deployment, the default certificate templates in the resource forest can be used or custom templates can be created to meet your requirements. 10

Review the list of Default certificate templates. Creating custom certificate templates requires that you have the required information and technical understanding to configure all required certificate template properties. For more information, To use the default certificate templates in the resource forest, skip the section on Consolidating certificate templates and continue at Copying PKI objects to account forests. To customize the default certificate templates, see Creating Certificate Templates. Continue at Copying PKI objects to account forests after you are finished customizing the certificate templates in the resource forest. If you are consolidating AD CS from multiple forests that have custom certificate templates which you must continue to use, then review the next section, Consolidating certificate templates from multiple forests, and complete the procedures that best meet your requirements.

Consolidating certificate templates from multiple forests

Because AD CS deployments can vary greatly, the exact steps you must take to consolidate your existing certificate templates cannot be described in this guide. The goal is to reduce the number of CAs and certificate templates in a multiforest environment by creating a set of certificate templates issued by resource forest CAs that provide certificates to domain members in all forests. Based on the number of forests and certificate templates in your environment, the timeframe you have to complete AD CS consolidation, and the requirements of your organization, you can use a combination of procedures described in this section to define the set of certificate templates issued by your resource forest CAs. For each certificate template you plan to issue from the resource forest, consider which of the following methods best meets the goals and requirements of your organization and complete the procedures described in that section. Copying account forest certificate templates into the resource forest Consolidating certificate templates with similar purposes from multiple account forests Consolidating version 2 and version 3 default certificate templates Consolidating version 1 default certificate templates

The procedures described in this section require the Windows Powershell script PKISync.ps1. Complete the procedure To Save PKISync.ps1 to a file.

Copying account forest certificate templates into the resource forest

The simplest way to consolidate AD CS from multiple forests into a single resource forest is to copy the certificate templates from all account forests into the resource forest and configure

11

AD CS to issue certificates from the resource forest. Because all certificate templates remain available, the rate of certificate enrollment remains steady and there is no impact to users. This method reduces the number of CAs in the enterprise but the resource forest might have multiple certificate templates for some types of certificates; for example, if certificate templates for S/MIME certificates are copied from multiple account forests into the resource forest. Complete the procedures from a domain member computer that has access to the resource and account forests. Log on using an account with permissions to update AD objects in resource and account forests. Members of Domain Admins and Enterprise Admins group have the required permissions. The procedure must be completed for each certificate template you want to copy into the resource forest. You cannot copy multiple certificate templates simultaneously. To copy certificate templates from an account forest to the resource forest 1. Start Windows Powershell. Change the current directory to the location of the PKISync.ps1 script. 2. Copy the certificate template from the account forest by using the command .\PKISync.ps1 -sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Template -cn <certificate template common name>. Note If a certificate template in the resource forest has the same name as the certificate template you want to copy from the account forest, you must rename the certificate template in the account forest before copying the template to the resource forest. See Rename a Certificate Template. 3. Copy the OID container from the account forest by using the command .\PKISync.ps1 -sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Oid f and press ENTER. 4. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organizations security policy. See the Security Tab section of Extensions Tab. 5. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The access control list defined on the certificate template in the account forest is preserved during the copy operation, but you should verify permissions are correct and grant permissions to additional users in other account forests as needed. See the Security Tab section of Administering Certificate Templates. 6. Publish the root CA certificate from the account forest to the resource forest by using Certutil.exe at a command prompt to run the following commands: a. certutil -config <Computer-Name>\<Account-Forest-Root-CA-Name> -ca.cert <root-ca-cert-filename.cer> If you are logged on to the CA you can omit the connection information, -config 12

<Computer-Name>\<Root-CA-Name> to connect to the local CA. b. certutil -dspublish -f <root-ca-cert-filename.cer> RootCA 7. Publish enterprise CA certificates from the account forest into the NTAuthCertificates and AIA containers in the resource forest. a. certutil -config <Computer-Name>\<Account-Forest-Enterprise-CA-Name> ca.cert <enterprise-ca-cert-filename.cer> b. certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAuthCA c. certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA Note Steps 6 and 7 are required because renewal requests can be signed by certificates issued by CAs in the account forests. The CA certificates from the account forests are required for issued certificates from account forests to be valid in the resource forest. 8. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 9. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. 10. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 11. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.

Consolidating certificate templates with similar purposes from multiple account forests
Instead of combining certificate templates from all account forests and managing redundant certificate templates (as described in the previous section), you can minimize the number of certificate templates in the resource forest by reviewing the certificate templates issued in each account forest based on cryptographic purpose and certificate template properties. Define a set of certificate templates for the resource forest that can replace all certificate templates in the account forests. When consolidating certificate templates from multiple account forests into a single set of templates in the resource forest, two approaches are available. 1. Stop issuing certificates in account forests by removing all certificate templates from account forest CAs, and publish certificate templates in the resource forest for all certificate types required in the account forests. Because certificates issued in the account forest remain valid until they expire, this method does not cause a spike in certificate enrollment and has low 13

user impact. However, until existing certificates issued by the account forest expire, two valid certificates for the same purpose are found in a users certificate store which might result in a user prompt for certificate selection and possibly increased help desk calls. Additionally, you must continue to publish CRLs and CA certificates for the account forest PKI. 2. Publish certificate templates in the resource forest which supersede certificate templates in account forests, and force immediate reenrollment. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate within a short period of time. However, AD CS resources in account forests can be decommissioned sooner. The procedure To consolidate certificate templates can be used for both approaches. Steps for superseding are noted. Complete the procedures from a domain member computer that has access to the resource and account forests. Log on using an account with permissions to update AD objects in resource and account forests. Members of Domain Admins and Enterprise Admins group have the required permissions. The procedure must be completed for each certificate template type you want to issue from the resource forest. To consolidate certificate templates 1. Copy certificate templates from account forests by using the command .\PKISync.ps1 -sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Template -cn <certificate template common name>. 2. Copy the OID container from account forests by using the command .\PKISync.ps1 sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Oid f. 3. If you are superseding certificate templates from account forests, repeat steps 1 and 2 for all certificate templates in account forests that are superseded by the new certificate template in the resource forest. 4. Duplicate a certificate template you copied from an account forest, and customize if necessary. See Creating Certificate Templates. 5. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organizations security policy. See the Security Tab section of Extensions Tab. 6. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The access control list defined on the certificate template in the account forest is preserved during the copy operation, but you should verify permissions are correct and grant permissions to additional users in other account forests as needed. See the Security Tab section of Administering Certificate Templates. 7. (Optional) Supersede certificate templates from account forests by using the Certificate Templates snap-in to add all superseded certificate templates from account 14

forests to the Superseded templates tab on the certificate template properties sheet. See Supersede Templates. 8. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 9. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. Note If you are superseding certificate templates from account forests, repeat steps 9 through 12 for each account forest you copied certificate templates from in step 1. 10. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 11. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Oid f. 12. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.

Consolidating version 2 and version 3 default certificate templates

Because default certificate templates have the same names in all forests, the simplest approach to consolidating version 2 and version 3 default certificate templates from multiple forests is to use the default certificate templates in the resource forest and stop issuing certificates based on the default templates in the account forests. Because certificates issued in the account forest remain valid until they expire, this method does not cause a spike in certificate enrollment and has low user impact. However, until existing certificates issued by the account forest expire, two valid certificates for the same purpose in a users profile might result in a user prompt for certificate selection which could cause increased help desk calls. Additionally, you must continue to publish CRLs and CA certificates for the account forest. Alternatively, you can supersede existing certificates in account forests by creating new certificate templates in the resource forest and configuring them to supersede certificate templates in all account forests. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate within a short period of time. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate

15

within a short period of time, however AD CS resources in account forests can be decommissioned immediately. To consolidate version 2 and version 3 default certificate templates 1. Duplicate a version 2 or version 3 default certificate template, and customize if necessary. See Creating Certificate Templates. 2. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organizations security policy. See the Security Tab section of Extensions Tab. 3. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all account forests. See the Security Tab section of Administering Certificate Templates. 4. (Optional) Supersede certificate templates from account forests by using the Certificate Templates snap-in to add all superseded certificate templates from account forests to the Superseded templates tab on the certificate template properties sheet. See Supersede Templates. 5. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 6. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. Note If you are superseding certificate templates from account forests, repeat steps 6 through 9 for each account forest you copied certificate templates from in step 1. 7. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 8. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Oid f. 9. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.

Consolidating version 1 default certificate templates

For each version 1 default certificate you want to issue, complete the following procedure.

16

To consolidate version 1 default certificate templates 1. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all account forests. See the Security Tab section of Administering Certificate Templates. 2. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 3. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. 4. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 5. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Oid f. 6. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.

Copying PKI objects to account forests

Certificate enrollment objects in AD DS environments are stored in three containers which must be copied from the resource forest to account forests to maintain consistency across all forests that are participating in cross-forest certificate enrollment. A Windows Powershell script is provided for copying and managing the following PKI objects in AD. Enrollment services Certificate templates OID

In cross-forest enrollment deployments described in this guide, the resource forest is the master copy of PKI objects. The PKI objects described in this section must be the same in all forests. To maintain consistency across all forests, copy PKI objects in the resource forest should to account forests frequently. Scripts and examples for automated copying are described in AD CS: Managing Cross-forest Certificate Enrollment. You can use PKISync.ps1 during initial deployment and to keep resource and account forest PKI objects synchronized. PKISync.ps1 copies objects in the source forest to the target forest. Objects in the source forest are not changed by script operations.

17

CA certificates are not copied by PKISync.ps1. When CA certificates are renewed, you must manually publish the CA certificates to account forests by using the commands described in Deploying AD CS for cross-forest certificate enrollment. First, complete the procedure to save PKISync.ps1 to a file, as described in AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment Next, complete the following procedure. To copy PKI objects by using PKISync.ps1 1. Start Windows Powershell. 2. Type .\PKISync.ps1 -sourceforest <SourceForestDNS> -targetforest <TargetForestDNS> [-f] and press ENTER. When copying from the resource forest, <SourceForestDNS> is the DNS name of the resource forest and <TargetForestDNS> is the DNS name of an account forest. Warning [-f] is an optional argument. When [-f] is used, objects in <TargetForestDNS> are deleted and replaced by objects with the same name from <SourceForestDNS>. When [-f] is not used, you are prompted to confirm before objects are deleted. 3. Repeat for each account forest.

Support for CA Web Enrollment

The following table describes the support for using CA web enrollment with CAs in the resource forest that are configured for cross-forest certificate enrollment.
Forest CA web enrollment is hosted in CA web enrollment installed on CA Type of delegation Is supported

Resource Resource Resource Account Account

Yes No No No No

Not required Computer Constrained Computer Constrained

Yes Yes Yes Yes No

Decommissioning CAs in account forests

A goal of deploying cross-forest certificate enrollment is to reduce the number of CAs in an enterprise.

18

After certificate templates have been removed from a CA in an account forest, the CA can be decommissioned. Complete the procedures described in section Removing a CA from Active Directory in CA Maintenance.

AD CS: Managing Cross-forest Certificate Enrollment

Because cross-forest certificate enrollment requires that PKI objects in all forests are the same, it is necessary to copy PKI objects from the resource forest to the account forests whenever PKI objects in the resource forest are changed. You can perform this maintenance manually by completing the procedure described in Copying PKI objects to account forests. However, because manual processes are prone to error and might not be completed regularly or when PKI objects changed, it is recommended to use an automated process based on the PKISync.ps1 script and examples provided in this guide. Two examples of automation are described in this topic: Using a scheduled task Monitoring AD CS events

Using a scheduled task

The simplest method for maintaining PKI objects for cross-forest ceriticate enrollment is to run the PKISync.ps1 script in a scheduled task. For best results the task should run frequently. Because PKI objects are not changed frequently, copying them to account forests once daily should work well in most environments. For information on using scheduled tasks, see

Monitoring AD CS events
Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events that indicate a change to PKI objects. You must configure auditing on CAs for some AD CS events to be recorded in the event log. Complete the following procedure on each CA you want to monitor. To enable AD CS event auditing 1. Start an MMC console and add the Group Policy Object Editor for the local computer. 2. In the tree view, click Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. 19

3. In the details pane, double-click Audit object access. 4. Click Success, then click OK. 5. Start the Certification Authority snap-in. 6. In the tree view, right-click your CA and click Properties. 7. Click the Auditing tab. 8. Click Change CA configuration and Change CA security settings, then click OK. 9. Restart the CA service by using the command sc stop certsvc && sc start certsvc. The following table lists events you can monitor.
Event Id Event log Event source Description

26

Application

Microsoft-WindowsCertificationAuthority

Active Directory Certificate Services for %1 was started. The security permissions for Certificate Services changed. Certificate Services loaded a template. A Certificate Services template was updated. A property of Certificate Services changed.

4882

Security

Microsoft-WindowsSecurity-Auditing

4892

Security

Microsoft-WindowsSecurity-Auditing Microsoft-WindowsSecurity-Auditing Microsoft-WindowsSecurity-Auditing

4899

Security

4892

Security

Using automation
Detailed instructions for configuring automation are not provided in this document. Use the guidance and script provided in this document and any of the following systems to develop a solution that meets the requirements of your organization: System Center Operations Manager can be used to monitor your CAs for events and alert administrators or run custom scripts or code in response to specified events. Windows and Directory Access APIs can be used to subscribe to events on your CA and run custom code to manage PKI objects in AD. Microsoft Forefront Identity Manger or Microsoft Identify Lifecycle Manager can be used to synchronize PKI objects in account forests with objects in the resource forest. See Microsoft Forefront Identity Manager.

20

AD CS: Troubleshooting Cross-forest Certificate Enrollment

Common problems and resolutions related to using AD CS for cross-forest certificate enrollment are described.

PKI object synchronization issues

If the PKI objects are not the same in all forests, a number of problems can occur during certificate enrollment. For example, domain members may receive errors indicating certificate template version number inconsistencies. You must ensure that the same set of PKI objects and certificate templates exist in all forests and that the attribute values on each object are the same across forests. To compare the objects in two forests, use the command .\PKISync.ps1 -sourceforest <SourceForestDNS> -targetforest <TargetForestDNS> -whatif. By using the whatif switch, the script will display the objects that would be copied but does not copy them. If the output for an object does not include the message "Object exists, use -f to overwrite", then the object exists in <source forest> but not in <target forest>. To display an objects attribute values, use the DumpADObj.ps1 script included in this guide. See AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment. To compare the attribute values of two objects in different forests, use DumpADObj.ps1 for each object. Use a program to compare the output files for the two objects. If WinDiff.exe is not included in the version of Windows you are using, see Windows XP Service Pack 2 Support Tools. To display the PKI objects in AD DS, use the command certutil viewstore <certificate store name> [<output file>]. To view root CA certificates, use cerutil viewstore "ldap:///CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootN ameSpace>?cACertificate?one?objectClass=certificationAuthority" [<output file>] To view enterprise CA certificates in the NTAuthCertificates container, use certutil viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=C onfiguration,DC=<ForestRootNameSpace>?cACertificate" [<output file>] To view enterprise CA certificates in the AIA container, use certutil -viewstore "ldap:///CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestR ootNameSpace>?cACertificate?one?objectClass=certificationAuthority" [<output file>].

21

Public key containers or default certificate templates deleted

Problem: Default containers or certificate templates have been deleted from the Public key services container in AD DS. Resolution: , The default containers, objects and certificate templates can be installed to AD DS at any time by using the command certutil.exe installdefaulttemplates. Only the default containers, objects and certificate templates are installed. Custom certificate templates cannot be restored by using certutil.exe. You should also implement a backup solution for AD DS. See Active Directory Backup and Restore in Windows Server 2008 in Technet Magazine.

Certutil connection errors when connecting to a CA

Problem: When you run the commands certutil config <computer name\ca name> -ca.cert or certutil config <computer name\ca name> ping, the command fails and displays an error message: CertUtil: The RPC server is unavailable. OR CertUtil: Access is denied. Resolution: Add the user running the command to the CERTSVC_DCOM_ACCESS security group on the CA specified in <computer name\ca name>.

AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment

PKISync.ps1 copies objects in the source forest to the target forest. In cross-forest AD CS deployments, use PKISync.ps1 during initial deployment and to keep resource and account forest PKI objects synchronized.

Saving PKISync.ps1
To save PKISync.ps1 to a file 1. Click Copy Code at the top of the code section. 2. Start Notepad. 3. On the Edit menu, click Paste. 4. On the File menu, click Save. 22

5. Type a path for the file, type the file name PKISync.ps1, and click Save.
# # This script allows updating PKI objects in Active Directory for the # cross-forest certificate enrollment # #This sample script is not supported under any Microsoft standard support #program or service. This sample script is provided AS IS without warranty of #any kind. Microsoft further disclaims all implied warranties including, #without limitation, any implied warranties of merchantability or of fitness #for a particular purpose. The entire risk arising out of the use or #performance of the sample scripts and documentation remains with you. In no #event shall Microsoft, its authors, or anyone else involved in the creation, #production, or delivery of the scripts be liable for any damages whatsoever # (including, without limitation, damages for loss of business profits, business #interruption, loss of business information, or other pecuniary loss) arising #out of the use of or inability to use this sample script or documentation, #even if Microsoft has been advised of the possibility of such damages. #

# Command line variables # $SourceForestName = "" $TargetForestName = "" $SourceDC = "" $TargetDC = ""

$ObjectType = "all" $ObjectCN = $null

$DryRun = $FALSE $DeleteOnly = $FALSE $OverWrite = $FALSE

function ParseCommandLine()

23

{ if (2 -gt $Script:args.Count) { write-warning "Not enough arguments" Usage exit 87 }

for($i = 0; $i -lt $Script:args.Count; $i++) { switch($Script:args[$i].ToLower()) { -sourceforest { $i++ $Script:SourceForestName = $Script:args[$i] } -targetforest { $i++ $Script:TargetForestName = $Script:args[$i] } -cn { $i++ $Script:ObjectCN = $Script:args[$i] } -type { $i++ $Script:ObjectType = $Script:args[$i].ToLower() } -f {

24

$Script:OverWrite = $TRUE } -whatif { $Script:DryRun = $TRUE } -deleteOnly { $Script:DeleteOnly = $TRUE } -targetdc { $i++ $Script:TargetDC = $Script:args[$i] } -sourcedc { $i++ $Script:SourceDC = $Script:args[$i] } default { write-warning ("Unknown parameter: " + $Script:args[$i]) Usage exit 87 } } } }

function Usage() { write-host "" write-host "Script to copy or delete PKI objects (default is copy)"

25

write-host "" write-host " write-host "" write-host " .\PKISync.ps1 -sourceforest <SourceForestDNS> -targetforest Copy Command:"

<TargetForestDNS> [-sourceDC <SourceDCDNS>] [-targetDC <TargetDCDNS>] [-type <CA|Template|OID> [-cn <ObjectCN>]] [-f] [-whatif]" write-host "" write-host " write-host "" write-host " .\PKISync.ps1 -targetforest <TargetForestDNS> [-targetDC <TargetDCDNS>] Delete Command:"

[-type <CA|Template|OID> [-cn <ObjectCN>]] [-deleteOnly] [-whatif]" write-host "" write-host "-sourceforest write-host "-targetforest write-host "-sourcedc object from" write-host "-targetdc object to" write-host "-type object types are processed" write-host " write-host " write-host " write-host '-cn CA Template OID -- Process CA object(s)" -- Process Template object(s)" -- Process OID object(s)" -- Type of object to process, if omitted then all -- DNS of the DC in the target forest to process -- DNS of the forest to process object from" -- DNS of the forest to process object to" -- DNS of the DC in the source forest to process

-- Common name of the object to process, do not

include the cn= (ie "User" and not "CN=User"' write-host " specified" write-host "-f copying. Ignored when deleting." write-host "-whatif without processing" write-host "-deleteOnly exists" write-host "" write-host "" } -- Will delete object in the target forest if it -- Display what object(s) will be processed -- Force overwrite of existing objects when This option is only valid if -type <> is also

26

# # Build a list of attributes to copy for some object type # function GetSchemaSystemMayContain($ForestContext, $ObjectType) { # # first get all attributes that are part of systemMayContain list # $SchemaDE = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest Context, $ObjectType).GetDirectoryEntry() $SystemMayContain = $SchemaDE.systemMayContain

# # if schema was upgraded with adprep.exe, we need to check mayContain list as well # if($null -ne $SchemaDE.mayContain) { $MayContain = $SchemaDE.mayContain foreach($attr in $MayContain) { $SystemMayContain.Add($attr) } }

# # special case some of the inherited attributes # if (-1 -eq $SystemMayContain.IndexOf("displayName")) { $SystemMayContain.Add("displayName") } if (-1 -eq $SystemMayContain.IndexOf("flags"))

27

{ $SystemMayContain.Add("flags") } if ($objectType.ToLower().Contains("template") -and -1 -eq $SystemMayContain.IndexOf("revision")) { $SystemMayContain.Add("revision") }

return $SystemMayContain }

# # Copy or delete all objects of some type # function ProcessAllObjects($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN) { $SourceObjectsDE = $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN) $ObjectCN = $null

foreach($ChildNode in $SourceObjectsDE.psbase.get_Children()) { # if some object failed, we will try to continue with the rest trap { # CN maybe null here, but its ok. Doing best effort. write-warning ("Error while coping an object. CN=" + $ObjectCN) write-warning $_ write-warning $_.InvocationInfo.PositionMessage continue }

$ObjectCN = $ChildNode.psbase.Properties["cn"] ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE $RelativeDN $ObjectCN

28

$ObjectCN = $null }

# # Copy or delete an object # function ProcessObject($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN, $ObjectCN) { $SourceObjectContainerDE = $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN) $TargetObjectContainerDE = $TargetPKIServicesDE.psbase.get_Children().find($RelativeDN)

# # when copying make sure there is an object to copy # if($FALSE -eq $Script:DeleteOnly) { $DSSearcher = [System.DirectoryServices.DirectorySearcher]$SourceObjectContainerDE $DSSearcher.Filter = "(cn=" +$ObjectCN+")" $SearchResult = $DSSearcher.FindAll() if (0 -eq $SearchResult.Count) { write-host ("Source object does not exist: CN=" + $ObjectCN + "," + $RelativeDN) return } $SourceObjectDE = $SourceObjectContainerDE.psbase.get_Children().find("CN=" + $ObjectCN) }

29

# # Check to see if the target object exists, if it does delete if overwrite is enabled. # Also delete is this a deletion only operation. # $DSSearcher = [System.DirectoryServices.DirectorySearcher]$TargetObjectContainerDE

$DSSearcher.Filter = "(cn=" +$ObjectCN+")" $SearchResult = $DSSearcher.FindAll() if ($SearchResult.Count -gt 0) { $TargetObjectDE = $TargetObjectContainerDE.psbase.get_Children().find("CN=" + $ObjectCN)

if($Script:DeleteOnly) { write-host ("Deleting: " + $TargetObjectDE.DistinguishedName) if($FALSE -eq $DryRun) { $TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE) } return } elseif ($Script:OverWrite) { write-host ("OverWriting: " + $TargetObjectDE.DistinguishedName) if($FALSE -eq $DryRun) { $TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE) } } else { write-warning ("Object exists, use -f to overwrite. Object: " + $TargetObjectDE.DistinguishedName)

30

return } } else { if($Script:DeleteOnly) { write-warning ("Can't delete object. Object doesn't exist. Object: " + $ObjectCN + ", " + $TargetObjectContainerDE.DistinguishedName) return } else { write-host ("Copying Object: " + $SourceObjectDE.DistinguishedName) } }

# # Only update the object if this is not a dry run # if($FALSE -eq $DryRun -and $FALSE -eq $Script:DeleteOnly) { #Create new AD object $NewDE = $TargetObjectContainerDE.psbase.get_Children().Add("CN=" + $ObjectCN, $SourceObjectDE.psbase.SchemaClassName)

#Obtain systemMayContain for the object type from the AD schema $ObjectMayContain = GetSchemaSystemMayContain $SourceForestContext $SourceObjectDE.psbase.SchemaClassName #Copy attributes defined in the systemMayContain for the object type foreach($Attribute in $ObjectMayContain) { $AttributeValue = $SourceObjectDE.psbase.Properties[$Attribute].Value if ($null -ne $AttributeValue)

31

{ $NewDE.psbase.Properties[$Attribute].Value = $AttributeValue $NewDE.psbase.CommitChanges() } } #Copy secuirty descriptor to new object. Only DACL is copied. $BinarySecurityDescriptor = $SourceObjectDE.psbase.ObjectSecurity.GetSecurityDescriptorBinaryForm()

$NewDE.psbase.ObjectSecurity.SetSecurityDescriptorBinaryForm($BinarySecurityDescriptor, [System.Security.AccessControl.AccessControlSections]::Access) $NewDE.psbase.CommitChanges() } }

# # Get parent container for all PKI objects in the AD # function GetPKIServicesContainer([System.DirectoryServices.ActiveDirectory.DirectoryContext] $ForestContext, $dcName) { $ForObj = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) $DE = $ForObj.RootDomain.GetDirectoryEntry()

if("" -ne $dcName) { $newPath = [System.Text.RegularExpressions.Regex]::Replace($DE.psbase.Path, "LDAP://\S*/", "LDAP://" + $dcName + "/") $DE = New-Object System.DirectoryServices.DirectoryEntry $newPath }

$PKIServicesContainer = $DE.psbase.get_Children().find("CN=Public Key Services,CN=Services,CN=Configuration")

32

return $PKIServicesContainer }

######################################################### # Main script code #########################################################

# # All errors are fatal by default unless there is another 'trap' with 'continue' # trap { write-error "The script has encoutnered a fatal error. Terminating script." break }

ParseCommandLine

# # Get a hold of the containers in each forest # write-host ("Target Forest: " + $TargetForestName.ToUpper()) $TargetForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $TargetForestName $TargetPKIServicesDE = GetPKIServicesContainer $TargetForestContext $Script:TargetDC

# Only need source forest when copying if($FALSE -eq $Script:DeleteOnly) { write-host ("Source Forest: " + $SourceForestName.ToUpper()) $SourceForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $SourceForestName $SourcePKIServicesDE = GetPKIServicesContainer $SourceForestContext $Script:SourceDC }

33

else { $SourcePKIServicesDE = $TargetPKIServicesDE }

if("" -ne $ObjectType) {write-host ("Object Category to process: " + $ObjectType.ToUpper())}

# # Process the command # switch($ObjectType.ToLower()) { all { write-host ("Enrollment Serverices Container") ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services" write-host ("Certificate Templates Container") ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate Templates" write-host ("OID Container") ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" } ca { if($null -eq $ObjectCN) { ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services" } else { ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services" $ObjectCN

34

} } oid { if($null -eq $ObjectCN) { ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" } else { ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" $ObjectCN } } template { if($null -eq $ObjectCN) { ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate Templates" } else { ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate Templates" $ObjectCN } } default { write-warning ("Unknown object type: " + $ObjectType.ToLower()) Usage exit 87 } }

35

Subsection Heading
Insert subsection body here.

AD CS: DumpADObj.ps1 Script for Crossforest Certificate Enrollment

Use DumpADObj.ps1 to display attribute values of an object in the specified AD DS forest. In cross-forest Active Directory Certificate Services (AD CS) deployments, use DumpADObj.ps1 to troubleshoot certificate enrollment or PKI object synchronization problems. The program LDIFDE.EXE is required for DumpADObj.ps1 to access objects in AD DS.

Saving DumpADObj.ps1
To save DumpADObj.ps1 to a file 1. Click Copy Code at the top of the code section. 2. Start Notepad. 3. On the Edit menu, click Paste. 4. On the File menu, click Save. 5. Type a path for the file, type the file name DumpADObj.ps1, and click Save.
# # This script dumps certificate template/CA information using ldifde.exe #

# # Command line arguments # $ForestName = "" $DCName = "" $ObjectType = "" $ObjectName = "" $OutFile = ""

function ParseCommandLine() {

36

if (10 -gt $Script:args.Count) { write-warning "Not enough arguments" Usage exit 87 }

for($i = 0; $i -lt $Script:args.Count; $i++) { switch($Script:args[$i].ToLower()) { -forest { $i++ $Script:ForestName = $Script:args[$i] } -dc { $i++ $Script:DCName = $Script:args[$i] } -type { $i++ $Script:ObjectType = $Script:args[$i] } -cn { $i++ $Script:ObjectName = $Script:args[$i] } -file { $i++

37

$Script:OutFile = $Script:args[$i] } default { write-warning ("Unknown parameter: " + $Script:args[$i]) Usage exit 87 } } } }

function Usage() { write-host "" write-host "Script to display attribute values of certificate template or CA object in AD" write-host "" write-host "dumpadobj.ps1 -forest <DNS name> -dc <DC name> -type <template|CA> -cn <Name> -file <output file>" write-host "" write-host "-forest write-host "-dc write-host "-type write-host "-cn write-host "-file write-host "" } -- DNS of the forest to process object from" -- DNS or NetBios name of the DC to target" -- Template or CA" -- Template or CA name" -- Output file"

######################################################### # Main script code #########################################################

38

# All errors are fatal by default unless there is anoter 'trap' with 'continue' # trap { write-error "The script has encountered a fatal error. Terminating script." break }

ParseCommandLine

write-host "" write-host "Effective settings:" write-host "" write-host " write-host " write-host " write-host " write-host " write-host "" Forest: $ForestName" DC: $DCName" Type: $ObjectType" Name: $ObjectName" File: $OutFile"

# # Set type specific variables # switch($ObjectType.ToLower()) { "template" { $ObjectContainerCN = ",CN=Certificate Templates" $ObjectSchema = "pKICertificateTemplate" } "ca" { $ObjectContainerCN = ",CN=Enrollment Services" $ObjectSchema = "pKIEnrollmentService"

39

} default { write-warning ("Unknown object type: " + $ObjectType) Usage exit 87 } }

# # Build full DN for the object # $ForestDN = "DC=" + $ForestName.Replace(".", ",DC=") $ObjectFullDN = "CN=" + $ObjectName + $ObjectContainerCN + ",CN=Public Key Services,CN=Services,CN=Configuration," + $ForestDN

# # Build list of attributes to display # $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $ForestName $SchemaDE = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest Context, $ObjectSchema).GetDirectoryEntry() $AttrList = $SchemaDE.systemMayContain

if($null -ne $SchemaDE.mayContain) { $MayContain = $SchemaDE.mayContain foreach($attr in $MayContain) { [void]$AttrList.Add($attr) } }

40

if (-1 -eq $AttrList.IndexOf("displayName")) { [void]$AttrList.Add("displayName") }

if (-1 -eq $AttrList.IndexOf("flags")) { [void]$AttrList.Add("flags") }

if ($ObjectType.ToLower().Equals("template") -and -1 -eq $AttrList.IndexOf("revision")) { [void]$AttrList.Add("revision") }

$SB = New-Object System.Text.StringBuilder for($i = 0; $i -lt $AttrList.Count; $i++) { [void]$SB.Append($AttrList[$i]) if($i -lt ($AttrList.Count - 1)) { [void]$SB.Append(",") } } $AttrListString = $SB.ToString()

# # Build command line and execute # $CommandLine = "-d """ + $ObjectFullDN + """ -p Base -l """ + $AttrListString + """ -f """ + $OutFile + """ -s " + $DCName Invoke-Expression "ldifde.exe $CommandLine" > ldifde.out.txt type "$OutFile"

41

Online Version
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/ff955842.aspx

42