AD CS: Deploying Cross-forest Certificate Enrollment

ComputerHabit 486 Reputation points

I’m having trouble with AD CS: Deploying Cross-forest Certificate Enrollment. I’ve followed the article’s for 2012 r2. Things just don’t seem to work.

Right now I can see certificates assigned to a user. I am getting an error about the certificate chain.

I had used dspublish to put my ROOTCA’s and intermediate ca’s crt and Crl in.

Can anyone verify what dspublish commands to use and which certs and crls would be required? Maybe I didn’t publish the certs everywhere or used a wrong switch. A working example would be amazing.

Also in lab I have everything deployed and it works for workstation certs. It is failing for user certs. The error says it cannot find the directory object. It seems like maybe I need to do something with referrals but I don’t know what to do.


Some extra details:

We have two forests with a full trust relationship
I have one cert server in one forest. I install the addition roles all on the same server. When I installed I didn’t use a service account and opted for machine account. Delegation is setup.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,160 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,608 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,298 questions
{count} votes

1 answer

Sort by: Most helpful
  1. David Jenkins 941 Reputation points

    Okay I resolved my issues. It was difficult since the 2012 doc is incomplete and you have to borrow from the 2008 doc to figure it out.

    The missing part from the 2012 doc is the adding of the certs. The best way to get the certs is to login to the CA Web Service and download the certificate chain. Save each certificate in the chain. Copy over to the other Forest and install. LDAP Referrals do need to be enabled.

    REM Enable LDAP referral support on enterprise CAs.
    REM certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
    REM RUN ON DC in remote domain
    REM Verify CA is working
    certutil -config "offlineROOTCA\Cert Root PKI" -ca.cert C:\Scripts\rootcapki.cer 
    REM Install certs
    certutil -dspublish -f C:\Scripts\rootcapki.cer RootCA
    REM Publish enterprise CA certificates from the resource forest into the NTAuthCertificates and AIA containers in each account forest.
    REM Verify CA is working
    certutil -config "\Cert Issuing PKI" -ca.cert C:\Scripts\issuingpki.cer
    REM Install certs
    certutil -dspublish -f C:\Scripts\issuingpki.cer NTAuthCA
    certutil -dspublish -f C:\Scripts\issuingpki.cer SubCA

    Also for my other error that was hard to figure out. The issue came up because we have a Forest that shares the same name space as another Forest. Basically we have overlapping forest names. Full trust and all that.


    With this I had to learn about creating LDAP referrals in AD. The article below was so helpful because Microsoft just gave you a vb script.

    To use ADSI Edit to create a cross-reference object

    1. In ADSI Edit, expand the Configuration container.
    2. Right-click the CN=Partitions container, click New , and then click Object .
    3. For Select a class , you can create objects of only class crossRef , which is already selected. Click Next .
    4. For the cn attribute, in the Value box, type a name that describes the location, and then click Next .
    5. For the nCName attribute, in the Value box, type the distinguished name for the external domain, and then click Next .
    6. For the dnsHostname attribute, in the Value box, type a DNS name for the server that hosts the domain directory partition, or type the domain name.
    7. When you are sure that your entries are correct, click Finish.

    From <>