ADCS PKI: Certificates for Bastion Forest from Production Forest (on premise no Azure)

RedWhiteBlack 1 Reputation point

Is there any guidance in regards to whether a Windows Server 2019 Bastion forest should be issued certificates from the Windows Server 2019 Production forest for a on premise solution? I have searched and cannot find any answers to this question. Any advice would be appreciated.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,951 questions
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
387 questions
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,398 questions
No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Daisy Zhou 13,021 Reputation points Microsoft Vendor

    Hello @RedWhiteBlack ,

    Thank you for posting here.

    Based on the description, I understand you have PKI in your Production forest.

    1.Would you please describe the meaning of the "Bastion Forest" in your case, so that we can help you better?
    2.What is the relationship between Bastion Forest and Production forest?
    3.Do they ahve any trust relationship?

    Here we can see a bastion environment planing.
    Planning a bastion environment

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

  2. Daisy Zhou 13,021 Reputation points Microsoft Vendor

    Hello @RedWhiteBlack ,

    Thank you for your update.

    Does that logical separation extend to PKI as well? Or can cross forest certificates be used without breaking the bastion model?

    For cross forest certificates:

    If there is two-way trust relationship between two forests, we can set up Cross-Forest Certificate Enrollment.
    For more information we can refer to link below.
    AD CS: Deploying Cross-forest Certificate Enrollment

    If there is no two-way trust relationship between two forests, we can set up Cross-Forest Certificate Enrollment.
    For more information we can refer to link below.
    Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

  3. RedWhiteBlack 1 Reputation point

    Hi Daisy,

    Thank you. Just some feedback, it would be good if there was a "PKI" tag that could be attached to PKI questions rather than having to tag them as "windows server". When we still had technet social, Brian Komar, Mark Cooper, vadmins and other PKI experts would be very nice and get back to you fairly promptly. Which was always appreciated by the community.

    What you have said wouln't maintain logical separation as the bastion PRIV forest needs to provide its own services and not be reliant on the CORP forest. However it would be really appreciated if one of your PKI experts, could clarify this issue definitively.

    Kind Regards

  4. Tom Houston 166 Reputation points

    Hey @RedWhiteBlack ,

    The best practice here I believe would be to deploy a separate PKI solution in the Bastion forest. This means the Bastion environment won't be impacted if the PKI in the Corporate forest is compromised.

    Hope this helps.