Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries
Applies To: Windows Server 2008 R2
The certificate enrollment Web services can be deployed in multiple-forest environments to enable policy-based certificate enrollment across forest boundaries. In previous versions of Active Directory Certificate Services (AD CS), policy-based certificate enrollment can be completed only by domain member client computers that are using the DCOM protocol. This limits certificate enrollment to the trust boundaries established by Active Directory forests and results in the deployment of per-forest PKI.
Organizations with multiple forests and per-forest PKI deployments can benefit from certification authority (CA) consolidation by deploying the certificate enrollment Web services to enable enrollment across forest boundaries. Guidance for the design and deployment of this type of scenario is available at https://go.microsoft.com/fwlink/?LinkId=143457.
Additional references