Cross Forest certificate Auto Enrollment Concern

Christian De Leon 96 Reputation points
2020-11-20T00:12:09.427+00:00

Hi!

Currently we have two forest with child domains: Forest A and Forest B(with child domain C). i have successfully configure cross forest certificate enrollment. CA is on Forest A and we will be deploying workstation certificates to domain C and on the parent domain in forest B. i have encountered two issues:

  1. Some computers have failed request: "Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest. Cross forest enrollment is not enabled"
  2. When using certutil -ping -config "<FQDN of domain>\<CA name>" i get RPC server unavailable. but when i try to ping the server or check ports using portqry tool for tcp 135 it push through the server

is there anything wrong with my setup? i have been stuck troubleshooting for awhile now.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,551 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
{count} votes

Accepted answer
  1. Christian De Leon 96 Reputation points
    2020-11-26T01:08:11.573+00:00

    Hi!

    I am monitoring the behavior of the deployment of certificates from the CA and i have not seen the cross forest is not enabled from the failed request until now.
    For the RPC error. I just found out that the workstation that have this error cannot reach its parent domain in Forest B we allow it first then test manual enrollment via mmc and it has successfully enrolled the certificate.

    additional I also added domain computers group from forest B and its child domain and domain controllers group to the certificate services DCOM access in Forest A. I don't know if this also has an impact to fix the issue. But its worth a try.

    Until now Cross forest enrollment is okay. and will still monitor and update this thread if something unusual comes up.

    Thanks for all your help!
    @Vadims Podāns @Daisy Zhou @Thameur-BOURBITA

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Thameur-BOURBITA 32,986 Reputation points
    2020-11-25T12:56:27.54+00:00

    Hi,

    Check if Allow authentication permission is well configured on each forest.

    You can read this link to get more details:

    ff955845(v=ws.10)

    please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.