Cross-forest Certificate Enrollment with Windows Server 2008 R2

Microsoft Corporation Published !ecember 2"# 2008 Contributors Carsten $inder# %le& Raduts'i(# and Shawn Core( )ersion 0*"

Abstract
Windows Server 2008 R2 allows enterprises to issue di+ital certificates from an enterprise Certification %uthorit( ,C%- to the clients that are members of a different %ctive !irector( ,%!- forest* .his process is called cross-forest certificate enrollment* .his white paper will e&plain how the cross-forest certificate enrollment wor's* /t will also provide deplo(ment +uidance for new and e&istin+ %ctive !irector( Certificate Services ,%!CS- deplo(ments* .he paper will cover strate+ies for consolidatin+ e&istin+ certificate templates that ma( be alread( in use in the enterprise* /t will present choices for on+oin+ mana+ement of the cross-forest certificates deplo(ment* % PowerShell script is also provided to facilitate mana+ement tas's related to settin+ up and maintainin+ cross-forest certificate enrollment environment*

Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet e! site references, is su!"ect to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organi#ations, products, domain names, e$mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organi#ation, product, domain name, e$mail address, logo, person, place, or event is intended or should !e inferred. %omplying with all applica!le copyright laws is the responsi!ility of the user. ithout limiting the rights under copyright, no part of this document may !e reproduced, stored in or introduced into a retrieval system, or transmitted in any form or !y any means &electronic, mechanical, photocopying, recording, or otherwise', or for any purpose, without the express written permission of Microsoft %orporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering su!"ect matter in this document. (xcept as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ) *++, Microsoft %orporation. -ll rights reserved.

-ctive .irectory, Microsoft, indows, indows /erver *++, R*, indows 01, 1ower/hell are trademarks of the Microsoft group of companies. -ll other trademarks are property of their respective owners.

Contents
%bstract**************************************************************************************************0 Cop(ri+ht /nformation****************************************************************************2 Contents*************************************************************************************************" /ntroduction********************************************************************************************1 Prere2uisites*******************************************************************************************1 3lossar(**************************************************************************************************4 5ew %!CS !eplo(ment**************************************************************************4 Scenario**********************************************************************************************4 Confi+uration Re2uirements 6verview************************************************7 !eplo(ment .as's*******************************************************************************8 Settin+ up a 8i-!irectional 9orest .rust*******************************************8 /nstallin+ Windows Server 2008 R2 C%********************************************: Confi+urin+ Certificate .emplates in the Resource 9orest***************: Confi+urin+ C% for Cross-forest Certificate Enrollment********************: Cop(in+ %!CS 6b;ects from the Resource 9orest into the %ccount 9orest*********************************************************************************************0< Consolidatin+ E&istin+ %!CS !eplo(ment********************************************07 Scenario********************************************************************************************07 !eplo(ment .as's*****************************************************************************0: /dentif(in+ a Resource 9orest********************************************************0: /nstallin+ and Confi+urin+ C% for Cross-forest Certificate Enrollment *******************************************************************************************************20 Consolidatin+ Certificate .emplates**********************************************20 !ecommission %ccount 9orest C%s************************************************28 Cross-forest Certificate Enrollment Monitorin+*************************************28 Scheduled =pdates***************************************************************************2: Monitorin+ C% Events************************************************************************2: =sin+ %ctive !irector( .ools*************************************************************"2 "

=sin+ %ctive !irector( %P/s***************************************************************"2 Considerations for =sin+ Certificate Web Enrollment Pa+es****************"2 Cross-forest C% troubleshootin+***********************************************************"" 8uild-in templates have been accidentall( deleted***************************"" %!CS %! containers are missin+*******************************************************"< =nreachable C%*********************************************************************************"< S(nchroni>ation /ssues**********************************************************************"< Script - P$/S(nc*ps0******************************************************************************"1 Script - dumpadob;*ps0 ***********************************************************************<0

<

Introduction
Prior to Windows Server 2008 R2# an enterprise Certification %uthorit( ,C%- was limited in issuin+ certificates onl( to the clients that belon+ to the same %ctive !irector( ,%!- forest* .herefore# user and client computers would onl( attempt to enroll certificates from a C% in its local forest# especiall( in autoenrollment scenarios* .his functional boundar( forced P$/ administrators to install at least one C% per forest* .hus# or+ani>ations with multi-forest %! environments had to operate multiple C%s# which in turn increased operation costs for those or+ani>ations* .he cross-forest certificate enrollment functionalit( supported b( the Windows Server 2008 R2 C% allows clients to enroll for a certificate from a C% that is part of a different %! forest* /t can help reduce the number of C%s in a multi-forest environment* %lso# it enables environments with multiple %! forests to deplo( a central certification authorit( with low total cost of ownership* 9inall(# cross-forest certificate enrollment is implemented in a wa( that doesn?t re2uire an( up+rade to the clients? operatin+ s(stems to enable cross-forest certificate enrollment* .his document will cover two main scenarios that are applicable for cross-forest enrollment* .he New ADCS Deployment section tal's about how to implement cross-forest certificate enrollment in an environment that does not have an e&istin+ enterprise C%s installed* .he Consolidating Existing ADCS Deployment section provides +uidance on how to consolidate an e&istin+ multi-forest %!CS deplo(ment in favor of a cross-forest certificate enrollment*

Prerequisites
% reader of this white paper should be familiar with deplo(in+ C% in the enterprise environment b( usin+ certificate templates* 9or more information on this see %ctive !irector( Certificate Services @ http AA+o*microsoft*comAfwlin'AB Cin'/!D027804*

/mplementin+ and %dministerin+ Certificate .emplates in Windows Server 2008 @ http AA+o*microsoft*comAfwlin'ABCin'/!D001027*

lossary
!esource "orest @ %n %ctive !irector( forest that hosts the Windows Server 2008 R2 C% that is confi+ured to issue certificates to users and computers from other trusted forests* .his forest also holds a master cop( of the %ctive !irector( ob;ects that are used b( the %ctive !irector( Certificate Services ,%!CS- clients and servers* Account "orest @ %n %ctive !irector( forest in which users and computers enroll for certificates from a Windows 2008 R2 C% located in another forest*

New ADCS Deployment

.his section e&plains how a cross-forest certificate enrollment can be deplo(ed in an %ctive !irector( environment with multiple forests and no enterprise C%s installed*

Scenario
Contoso is a lar+e enterprise that has deplo(ed and ac2uired multiple %ctive !irector( forests over the (ears* Currentl(# Contoso has not implemented %!CS because of a hi+h total cost of ownership associated with deplo(in+ %!CS in multiple forests* .he below dia+ram illustrates Contoso?s current %ctive !irector( environment*

With the availabilit( of Windows Server 2008 R2# Contoso?s /. department is now able to deplo( %!CS at the much lower cost* %s illustrated in the dia+ram below# Contoso have deplo(ed a two-tier hierarch( that allows users and computers from all of the Contoso?s forests to enroll for certificates from an enterprise C% installed in forest %*

Root CA

User

Enterprise CA

Windows Client Computer

User

Forest trust

Windows Client Computer Active Directory Forest C

Active Directory Forest A Forest trust

User

Windows Client Computer Active Directory Forest B

Configuration !equirements #$er$iew

% cross-forest certificate enrollment has these confi+uration re2uirements % bi-directional forest trust relationship is established between the resource forest and the account forest* % Windows Server 2008 R2 Enterprise C% must be set up in the forest actin+ as resource forest* .he users and client computers in ever( account forest must be permitted to enroll for certificate templates issued b( the C% in the resource forest* .he issuin+ C% must be confi+ured to support C!%P referrals* .he issuin+ C% must be added to Cert Publishers +roup in ever( account forest* %/% and CRC distribution points must be to be accessible from ever( account forest* 7

.he root C% certificate that the issuin+ C% chains up to must be trusted b( clients in ever( account forest* .he issuin+ C% certificate should be published in the 5.%uth store in ever( account forest* .he C% ob;ect of the Windows Server 2008 R2 C% in the resource forest must be made available in the (nrollment /ervices container in ever( account forest* Certificate templates must be copied from the resource forest to ever( account forest* .he client computers must be at least Windows EP or Windows Server 200"*

Deployment %as&s
.his section describes the steps that an administrator needs to perform to enable cross-forest certificate enrollment* 6nce all setup steps from this section have been performed# users or client computers that are members of the account forests will be able to enroll for certificates from an enterprise C%s in the resource forest* Setting up a 'i(Directional "orest %rust Cross-forest enrollment onl( wor's between forests that are usin+ at least the Windows Server 200" forest mode because a bi-directional forest trust is re2uired between the resource and account forests* .he reason for the bi-directional forest trust is that users from the account forest must be permitted on the certificate templates in the resource forest where the certification authorit( is located* %t the same time# the issuin+ certification authorit( must be able to verif( the re2uestor?s identit( based on its $erberos to'en and be able to access %ctive !irector( in the account forest to build certificate sub;ect name information* 9or information about settin+ up a forest trust and associated securit( considerations see %dministerin+ !omain and 9orest .rusts at http AA+o*microsoft*comAfwlin'ABCin'/dD0"0<::* /f Selective %uthentication is re2uired for the trust# the followin+ considerations e&ist for the cross-forest certificate enrollment 0* Certificate re2uestors ,machines or users- in the account forest need to have F%llow %uthenticateF access to the C%s in the resource forest* 8

2* C%s in the resource forest need to have F%llow %uthenticateF access to all !Cs in re2uestor domain to be able to access user or computer ob;ects of re2uestors* "* %n administrator runnin+ scripts included in this paper needs F%llow %uthenticateF access to the !C in the other forest* Installing )indows Ser$er *++, !* CA %n( cross-forest certificate enrollment re2uires the e&istence of at least one Windows Server 2008 R2 C% in a resource forest* .he C% must be installed on an Enterprise or a !atacenter S$=s of the Windows Server to support clients from a different %ctive !irector( forest* .he installation of an enterprise certification authorit( used for cross-forest enrollment should follow the +eneral practices recommended b( Microsoft* 9or more information see %ctive !irector( Certificate Services Step-b(-Step 3uide at http AA+o*microsoft*comAfwlin'ABCin'/dD0"7<07* Configuring Certificate %emplates in the !esource "orest /n addition to usual steps in settin+ up certificate templates# users or computers from an account forest should be +ive Enroll and in most cases %utoenroll permissions on templates that will be used in the enterprise* /t is a recommended to use universal or +lobal +roups to control permission on the certificate templates* .hese t(pes of +roups have are best suited for permission mana+ement in a distributed multiforest confi+uration since the( can be used across forest boundaries* Configuring CA for Cross(forest Certificate Enrollment /n addition to normal C% confi+uration# the C% must be confi+ured to allow C!%P referrals# has its certificate published to the 5.%uth certificate store in ever( account forest# has its root certificate trusted b( clients in ever( account forest# and have its machine account added to the Cert Publishers +roup in ever( account forest* %lso# CRC and %/% distributions points must be confi+ured to be accessible b( clients in ever( account forest* .hese tas's are e&plained in details in the followin+ subsections* Enabling LDAP Referrals on the CA /n order for C% to access user and computer ob;ects in another forest# it has to be able to chase C!%P referrals returned from C%?s domain controller ,!C-* .he abilit( to do this is a new feature in Windows :

Server 2008 R2* Gowever# it is turned off b( default so to turn on support for C!%P referrals perform the followin+ command on the C% at a command line with local administrator permissions
certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS

.o undo the confi+uration chan+e# perform the followin+ command

certutil -setreg Policy\EditFlags -EDITF_ENABLELDAPREFERRALS

.o appl( chan+es of the (dit2lags confi+uration parameter# the C% service must be restarted* .o do this from a command-line# perform the followin+ command at the C% computer with local administrator permissions
net sto certs!c "" net start certs!c

Adding CA Machine Account to Cert Publishers Group When an enterprise C% is installed# its machine account is automaticall( added to the Cert Publishers +roup in its %ctive !irector( forest* .his allows C% to publish issued certificates to user ob;ects in %!* Gowever# to allow the C% to wor' with clients from other forests# the C% must be added to the Cert Publishers +roup in ever( account forest* Configuring AIA and CRL Distribution Points .here are special considerations for definin+ %/% and CRC distribution points in the cross-forest certificate enrollment scenario* %s clients enroll and use certificates issued b( a C% from another forest# the( will attempt to download ob;ects from distribution points defined in the E&tensions tab of the C% properties* .he administrator must confirm that those locations are accessible b( clients in ever( account forest* %lso# administrators should consider an increased load on servers that service those distribution points* 9or e&ample# an C!%P distribution point in the resource will be accessed b( clients from all forests in the enterprise and will increase load on the !Cs in the resource forest* Publishing Root Certificate into Account Forest .he availabilit( of the root C% certificate is mandator( to establish a trust relationship between a certificate enrollee and an issuin+ certification authorit(* .herefore# the root C% certificate that the 00

issuin+ C%?s certificate chains up to must be published into each account forest* .o publish a root C% certificate into the enterprise wide confi+uration of an %ctive !irector( environment e&port the latest root C% certificate into a file b( runnin+ this command
certutil -con#ig $%A &ac'ine na&e(\$%A Na&e( -ca)cert $#ile na&e(

9or e&ample
certutil -con#ig %ont-%A*\%ontoso%A -ca)cert %ontoso%A*)cer

%s a ne&t step# perform the followin+ command in ever( account forest* Run this command with Enterprise %dmins permissions in that forest
certutil -ds u+lis' -# $Root%A%erti#icateFile( Root%A

9or e&ample
certutil -ds u+lis' -# %ontoso%A*)cer Root%A

Note Root%- is a fi&ed command-line option and must be specified as is in the above command* Note .he new certificate will not be in the Root stores on the clients until ne&t +roup polic( update occurs* %ctive !irector( replication ma( also affect this* Windows enrollment clients ,MMC Certificate Enrollment wi>ard and autoenrollment- will not enroll from a C% that is not trusted so it is important for this certificate to +et to the client?s Root store before enrollment can succeed* .o confirm that certificate has been added to the store# the followin+ command can be used
certutil -!ie,store -lda .///%N0%erti#ication Aut'orities1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration1D%0$ForestRootNa&eS ace(3 cA%erti#icate3one3o+4ect%lass0certi#icationAut'ority-

.o delete a certificate from the store# the followin+ command can be used
certutil -!ie,delstore -lda .///%N0$%ANa&e(1%N0%erti#ication Aut'orities1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration1D%0$ForestRootNa&eS ace(3 cA%erti#icate3+ase3o+4ect%lass0certi#icationAut'ority-

00

.he command shows the list of certificates that are currentl( stored in the store* 8( selectin+ a certificate and then clic'in+ 6$ (ou can remove it from the certificate store* 8efore e&ecutin+ this command replace HC%5ameI with C%?s saniti>ed common name* Note .he J-dspublish?# J-viewstore?# and J-viewdelstore? command support specif(in+ a tar+et !C via J-dc? parameter* /t is recommended to use the J-dc? parameter to +et consistent results* Publishing Issuing CA Certificate to the NTAuth Certificate tore .he Public $e( Services container of ever( %ctive !irector( forest contains an %ctive !irector( ob;ect called 3T-uth%ertificates* .he 3T-uth%ertificates ob;ect is a certificate store ,5.%uth- that contains C% certificates that are trusted to issue certificates for Windows authentication# for e&ample durin+ the smartcard lo+on* C%?s that perform 'e( archival must have their certificates in this store as well* Note- 5o other certificates than from issuin+ C%s should be part of the 5.%uthCertificates ob;ect* .o add the certificate of an issuin+ C% from a file to the 5.%uthCertificates store# Enterprise %dmins permissions are re2uired* .o perform this tas'# run the followin+ command at a command-line
certutil -ds u+lis' -# $%acerti#icate)cer( NTAut'%A

9or e&ample
certutil -ds u+lis' -# %ontoso%A*)cer Ntaut'%A

%n( authenticated user can loo' into the 3T-uth%ertificates ob;ect with the followin+ sin+le-line command
certutil -!ie,store -lda .///%N0NTAut'%erti#icates1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#igurat ion1D%0$ForestRootNa&eS ace(3cA%erti#icate-

9or e&ample
certutil -!ie,store -lda .///%N0NTAut'%erti#icates1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#igura tion1D%0contoso1D%0co&3cA%erti#icate-

/n case# a certificate was wron+l( added to the 5.%uthCertificates container# it can be deleted with the followin+ sin+le-line command 02

certutil -!ie,delstore -lda .///%N0NTAut'%erti#icates1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#ig uration1D%0$ForestRootNa&eS ace(3cAcerti#icate-

9or e&ample
certutil -!ie,delstore -lda .///%N0NTAut'%erti#icates1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#ig uration1D%0contoso1Do&ain %ontroller0co&3cAcerti#icate-

.he command shows the list of certificates that are currentl( stored in the store* 8( selectin+ a certificate and then clic'in+ 6$ (ou can remove it from the certificate store* Publishing Issuing CA Certificates into Account Forest %lthou+h not re2uired for the cross-forest certificate enrollment specificall(# it is recommended to publish issuin+ C% certificates into account forest?s %/% container* .his would prevent certificate validation failures that ma( happen before resource forest?s %/% containers are accessible to the computers verif(in+ a certificate issued b( one of resource forest C%s* .he autoenrollment service will proactivel( download those certificates and store those certificates from the %/% container into the computer /ntermediate Certification %uthorities store allowin+ them to be used durin+ certificate validation* .o publish an issuin+ C% certificate into the enterprise wide confi+uration of an %ctive !irector( environment# e&port the latest issuin+ C% certificate into a file b( runnin+ this command
certutil -con#ig $%A &ac'ine na&e(\$%A Na&e( -ca)cert $#ile na&e(

9or e&ample
certutil -con#ig %ont-%A*\%ontoso%A -ca)cert %ontoso%A*)cer

%s a ne&t step# perform the followin+ command in ever( account forest* Run this command with Enterprise %dmins permissions in that forest
certutil -ds u+lis' -# $Root%A%erti#icateFile( Su+%A

9or e&ample
certutil -ds u+lis' -# %ontoso%A*)cer Su+%A

Note /u!%- is a fi&ed command-line option and must be specified as is in the above command* 0"

Note .he new certificate will not be in the /ntermediate Certification %uthorities stores on the clients until ne&t +roup polic( update occurs* %ctive !irector( replication ma( also affect this* .o confirm that certificate has been added to the store# the followin+ command can be used
certutil -!ie,store -lda .///%N0AIA1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration1D%0$ForestRootNa&eS ac e(3cA%erti#icate3one3o+4ect%lass0certi#icationAut'ority-

.o delete a certificate from the store# the followin+ command can be used
certutil -!ie,delstore -lda .///%N0$%ANa&e(1%N0AIA1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration1D%0$Forest RootNa&eS ace(3cA%erti#icate3+ase3o+4ect%lass0certi#icationAut'ority-

.he command shows the list of certificates that are currentl( stored in the store* 8( selectin+ a certificate and then clic'in+ 6$ (ou can remove it from the certificate store* 8efore e&ecutin+ this command replace HC%5ameI with C%?s saniti>ed common name* Copying ADCS #b.ects from the !esource "orest into the Account "orest .here are three t(pes of %! ob;ects that are involved in certificate enrollment in the enterprise deplo(ments* 6b;ects under Enrollment Services container represent issuin+ C%s* 6b;ects under Certificate .emplates container represent certificate templates* 6b;ects under 6/! container represent 6ids that are used in certificate templates* .hese containers are located in %ctive !irector( under the path
%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration1D%0$ForestRootNa&eS ace(

.he script provided in section Script ( P/ISync0ps1 of this white paper allows cop(in+ ob;ects t(pes listed above* .he script is a PowerShell script and must be e&ecuted under PowerShell command window* 9or more information on Windows PowerShell see http AA+o*microsoft*comAfwlin'ABCin'/!D028008* Cop(in+ ob;ects from the resource forest into the account forest is process which must be completed durin+ initial setup and must be repeated after an( of these events have occurred 0* Certificate template addition# deletion or chan+e* 2* %ddition or removal of a certificate template from an issuin+ C%* 0<

"* /nstall or uninstall of a C%* <* C% certificate renewal* 1* Chan+e of the securit( permissions on the C%* /t is recommended that all of the ob;ects are copied ever( time one of the above chan+es has occurred to ma'e sure that there is no difference between resource and account forests* .o run the script that copies the %!CS ob;ects from the resource forest into the account forest enterprise permissions in the account forest are re2uired* Note- %pplications such as Certificate Mana+er Snap-in that use Windows Cr(pto %P/s to loo'up certificate template displa( names# certificate polic( statement ,CPS- =RCs and names# and %pplication Policies names implicitl( retain a cache of the 6id ob;ects in their memor( that +ets refreshed ever( ei+ht hours* When an 6id ob;ect is copied from one forest to another such application ma( not be able loo'up new 6ids ri+ht awa( due to this cachin+ mechanism* .his however doesn?t prevent certificates from bein+ used or enrolled for* 6nl( user interface components will be affected* .o refresh the cache before it e&pires# the application must be restarted* Note- Windows operatin+ s(stem maintains a local certificate template cache in the re+istr(* When certificate templates are updated either via Certificate .emplate Snap-in or b( usin+ the P$/S(nc*ps0 script the chan+es will not be seen b( the domain clients immediatel( which can cause temporar( enrollment failures or cause a stale view in the Certificate .emplate Snap-in* .his is acceptable in most cases because +eneral %ctive !irector( replication dela(s ma( result in the same t(pes of failures* Gowever# when testin+ certificate template confi+urations clearin+ cache ma( be re2uired* 9or more information on how to clear the cache see http AAsupport*microsoft*comA'bA280240* Cop!ing All ADC "b#ects .o cop( all %!CS ob;ects re2uired for cross-forest certificate enrollment run
)\P2ISync) s* -source#orest $SourceForestDNS( -target#orest $TargetForestDNS( 5-#6

01

Specif( the !5S name of the resource forest as a Source9orest!5S parameter and !5S name of the account forest as a .ar+et9orest!5S parameter* =se -f switch to overwrite e&istin+ ob;ects* 9or e&ample# the below command updates all ob;ect from resource forest to account forest*
)\P2ISync) s* -source#orest res)contoso)co& -target#orest acct)contoso)co& -#

Note- When usin+ the J-f? switch# e&istin+ ob;ects ma( overwritten unintentionall(* .o e&amine what ob;ects will be touched without actuall( writin+ new values# run the script with the J-whatif? switch first* 8efore runnin+ the script# (ou should be aware of the followin+ behavior 6b;ects that e&ist onl( in the account forest are not deleted or modified b( this script* /n the case of C% certificate renewal# new certificates ma( need to be published as described in sections Publishing !oot Certificate into Account "orest and Publishing Issuing CA Certificate to the N%Auth Certificate Store* Since these actions constitute a trust decision and should be a conscious choice on the part of the account forest administrator# the script doesn?t attempt to complete them*

Note- Microsoft does not support modification of %!CS ob;ects in %ctive !irector( e&cept throu+h the Certificate .emplates snap-in or Certification %uthorit( snap-in* Gowever# to enable cross-forest enrollment# the script provided with this white paper permits modification of %!CS ob;ects in a limited manner b( onl( cop(in+ ob;ects that were alread( created throu+h other means li'e Certificate .emplate snap-in* Deleting Certificate Te$plate or CA "b#ects When certificate template has been deleted or C% has been uninstalled# (ou can update the account forest b( runnin+ the script* 9or e&ample to delete a template e&ecute
)\P2ISync) s* -target#orest acct)contoso)co& -ty e Te& late -cn 7yTe& late -delete8nly

04

Logging .o +enerate lo+s while runnin+ the script# use start-transciprt and stoptranscipt PowerShell cmdlets* 9or e&ample
start-transri t &ylog)t9t )\P2ISync) s* -source#orest res)contoso)co& -target#orest acct)contoso)co& :# sto -transcri t

Consolidating Existing ADCS Deployment

Windows environments with an e&istin+ Windows C% infrastructure ma( also benefit from cross-forest enrollment because the number of certification authorities could be reduced* 8efore Windows Server 2008 R2 became available# an enterprise certification authorit( was re2uired in ever( %ctive !irector( forest so that redundant C%s ma( have been deplo(ed where a sin+le C% would be able to handle the load*

Scenario
Contoso is a +lobal holdin+ compan( that has alread( implemented %ctive !irector( Certificate Services ,%!CS-* 8ecause of Contoso?s holdin+ structure# it was a re2uirement to deplo( multiple forests to 'eep sub-companies separate from each other* When Contoso deplo(ed certificates for data encr(ption and authentication# the( reco+ni>ed that the( had to install an enterprise issuin+ C% into each of their e&istin+ forests* .o maintain a central trust anchor for the entire compan(# the( have also deplo(ed a standalone offline root C%* %ll enterprise issuin+ certification authorities received their C% certificate from that standalone offline root C%* .he followin+ dia+ram illustrates the %ctive !irector( environment that Contoso has implemented with Windows Server 2008*

07

Root CA

User

Enterprise CA

Windows Client Computer

User

Enterprise CA

Windows Client Computer

Active Directory Forest A Active Directory Forest C

User

Enterprise CA

Windows Client Computer

Active Directory Forest B

With the availabilit( of Windows Server 2008 R2# the C% mana+ement team at Contoso decided to consolidate the %!CS deplo(ment so that onl( a small number of enterprise certification authorities are re2uired to provide certificate services for all sub companies* %s (ou can see from the picture below# Enterprise C%s from forest 8 and C have been consolidated into a sin+le Enterprise C% in forest %* .he new architecture for the consolidated %!CS deplo(ment is illustrated in the followin+ dia+ram

08

Root CA

User

Enterprise CA

Windows Client Computer

User

Forest trust

Windows Client Computer Active Directory Forest C

Active Directory Forest A Forest trust

User

Windows Client Computer Active Directory Forest B

With the new architecture in place# users and computers that are members of forest 8 or C can now enroll for certificates from an Enterprise C% located in forest %*

Deployment %as&s
.he deplo(ment tas's to implement cross-forest enrollment in e&istin+ %!CS deplo(ment are the same as described in section Deployment %as&s for the new %!CS deplo(ment# but need to be e&tended with steps for consolidatin+ templates that ma( have been alread( in use and decommissionin+ the e&istin+ C%s* .he tas's that are re2uired to prepare cross-forest enrollment and consolidate an e&istin+ Windows C% are the followin+ 0* /dentif( a resource forest* 2* /nstall a Windows Server 2008 R2 C% and confi+ure it for crossforest certificate enrollment* "* Consolidate e&istin+ certificate templates* <* !ecommission account forest C%s as needed* Identifying a !esource "orest When there is an e&istin+ %!CS deplo(ment in more than one forest# it is recommended to choose one of those forests as a resource forest to minimi>e the effort that will be re2uired durin+ consolidation* % forest 0:

with hi+hest number of C%s and templates deplo(ed would be the best candidate* Gowever# it is acceptable to use a forest that has no e&istin+ P$/ as a resource forest* .his could be beneficial in situation where onl( onewa( trusts are allowed between e&istin+ forests* /n this case# an administrator can create a dedicated forest to host enterprise P$/ and create two-wa( trust with other forests in the enterprise* Installing and Configuring CA for Cross(forest Certificate Enrollment /n e&istin+ %!CS deplo(ments# it is acceptable to up+rade an e&istin+ C% in the resource forest to the Windows Server 2008 R2* .he confi+uration steps for the C% are the same as those that are described in section Configuring CA for Cross(forest Certificate Enrollment for new %!CS deplo(ment scenario* Consolidating Certificate %emplates .his section lists consolidation patterns that will help administrators to understand how particular template should be consolidated between the account forest and the resource forest* Gowever# several thin+s are true in all cases 0* 6nce a template from an account forest has been copied to the resource forest# all modification should be done in the resource forest and then propa+ated to the account forest* 2* /f a template is a part of a supersedin+ relationship ,bein+ superseded or supersedes another one-# all templates in that relationship should e&ists in both forests and should be copied to+ether* "* When a template has been moved from account forest to the resource forest and has been assi+ned to a C% in the Resource forest# it is acceptable to continue issuin+ it from the account forest C%s as well* .his can help to ma'e transition smoother* Gowever# eventuall( the +oal is to not have an( C%s in the account forest* <* %lthou+h not re2uired# it is recommended to consolidate all of the templates at one time and continue with full cop( of the %!CS ob;ects after that* .his +reatl( simplifies the on+oin+ 20

mana+ement* Gowever# in lar+e P$/ deplo(ments it ma( not be feasible* 9or more information about certificate templates refer to K/mplementin+ and %dministerin+ Certificate .emplates in Windows Server 2008L - http AA+o*microsoft*comAfwlin'ABCin'/!D001027* Continue Issuing a Te$plate in the Resource Forest Situation- %ccount forest has a template that is specific for that forest* Resource forest doesn?t currentl( have a similar template confi+ured* 9or e&ample# a compan( ma( have of all their web servers in their account forest historicall( and have setup a template called %ccountWebServer that the( have duplicated from the WebServer default template* .he resource forest never had a similar template deplo(ed because there were no web servers in that forest* /n this case administrator should do these steps 0* Cop( the template from account forest to the resource forest*
)\P2ISync) s* -source#orest account)contoso)co& -target#orest resource)contoso)co& -ty e Te& late -cn Account;e+Ser!er

Note- .he value of the Jcn? parameter in the above command is the name of the template# not a displa( name* 8oth names can be e&amined on the certificate template propert( pa+es in the Certificate .emplate snap-in* 2* Cop( all of the 6id ob;ects from the %ccount 9orest to the Resource forest*
)\P2ISync) s* -source#orest account)contoso)co& -target#orest resource)contoso)co& -ty e 8id -#

"* /n the resource forest# confi+ure the template securit( to allow resource forest administrators to mana+e the template* 9or e&ample# b( default Enterprise %dmins have full control permission on the templates created in a forest* .o have the same securit(# +ive Enterprise %dmins of the resource forest full control permissions on the template* Note- .he script provided in this white paper will not cop( the owner field of the securit( descriptor so when an( ob;ect is copied with the script# the owner will be set to the securit( conte&t in which the script was e&ecuted* .his is not a deficienc( 20

as there is no need to chan+e the owner when the ob;ect is copied* /nstead access control should be confi+ured with a !%CC which is copied b( the script* <* When certificate is renewed# the ori+inal certificate is used to si+n the certificate re2uest* /n order for the C% in the resource forest to accept a si+nature on renewal certificate re2uest# the root C% to which that certificate chains up to must be trusted b( the C%* /f C%s in the resource and account forests had different roots# e&port account forest root C% certificates and publish them in the RootC% store in the resource forest* .o complete this tas' use the commands described in section Publishing !oot Certificate into Account "orest* .he same considerations appl( to a situation when performin+ Enroll 6n 8ehalf 6f ,E686- certificate enrollment and Enrollment %+ent?s ,E%- certificate was ori+inall( issued b( a C% in the account forest* %lso an account forest C% that has issued E% certificates needs to be added to the resource forest as documented in Publishing Issuing CA Certificate to the N%Auth Certificate Store section* 1* Confi+ure C% in the resource forest to issue the template* 4* Cop( resource C% ob;ect to the account forest* /f this is the first time this C% has been copied to the account forest# complete the steps outlined in sections Publishing !oot Certificate into Account "orest and Publishing Issuing CA Certificate to the N%Auth Certificate Store*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e %A -cn 7y%A -#

Note- .he value of the Jcn? parameter in the above command is the saniti>ed name of the C% which in rare cases where nonEn+lish or lon+ names are used ma( not be e2ual to the C% name* .o obtain the proper value# run certutil*e&e on the C% without an( parameters and use the value for the KSaniti>ed Short 5ameL* 7* Cop( the template bac' from resource forest to the account forest* 22

)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e Te& late -cn Account;e+Ser!er -#

8* Remove the template from the list of issued templates in the account forest C%* Continue Issuing Te$plates in the Resource Forest %hen a Conflict E&ists Situation- 8oth account forest and resource forest have the same templates deplo(ed and administrator wants to continue issuin+ both of them from the resource forest* =nfortunatel( both templates have the same name* 9or e&ample# there is a CustomSmartCard template in the resource and the account forest* %lso# the template has the option KRe2uire the followin+ for reenrollment )alid e&istin+ certificateL selected* /t is undesirable to move users from the account forest to enroll for certificates based on the template that is currentl( in the resource forest as it would mean the( would not be able to use the e&istin+ certificates to renew for that template* .his could mean a hi+h number of users manuall( +oin+ throu+h the process of initial enrollment a+ain* .o solve this problem the administrator should do these steps 0* Rename the template in the account forest b( ri+ht-clic'in+ on the template in the Certificate .emplate snap-in and selectin+ Chan+e 5ames option* 5ew name could be an(thin+ as lon+ as it differs from the name of the same template in the resource forest* 9or e&ample# CustomSmartCard%ccount* Note- .he rename feature is onl( available on the Certificate .emplate snap-in that is included with Windows Server 2008 R2* Note- /f the 'e( si>e confi+ured on the template is less than default 'e( si>e for the Windows Server 2008 R2# the rename feature will increase the 'e( si>e while renamin+ the template* /f this is not desired# open the template for edit and revert to the ori+inal 'e( si>e* 2* Cop( the renamed template to the Resource forest*
)\P2ISync) s* -source#orest account)contoso)co& -target#orest resource)contoso)co& -ty e Te& late -cn %usto&S&art%ardAccount

2"

"* Cop( all of the 6id ob;ects from the account forest to the resource forest*
)\P2ISync) s* -source#orest account)contoso)co& -target#orest resource)contoso)co& -ty e 8id -#

<* When certificate is renewed# the ori+inal certificate is used to si+n the certificate re2uest* /n order for the C% in the resource forest to accept a si+nature on renewal certificate re2uest# the root C% to which that certificate chains up to must be trusted b( the C%* /f C%s in the resource and account forests had different roots# e&port account forest root C% certificates and publish them in the RootC% store in the resource forest* .o complete this tas' use the commands described in section Publishing !oot Certificate into Account "orest* .he same considerations appl( to a situation when performin+ Enroll 6n 8ehalf 6f ,E686- certificate enrollment and Enrollment %+ent?s ,E%- certificate was ori+inall( issued b( a C% in the account forest* %lso an account forest C% that has issued E% certificates needs to be added to the resource forest as documented in Publishing Issuing CA Certificate to the N%Auth Certificate Store section* 1* /n the Resource forest# confi+ure the template securit( to allow resource forest administrators to mana+e the template* 9or e&ample# b( default Enterprise %dmins have full control permission on the default templates created in a forest* .o have the same securit(# +ive Enterprise %dmins of the resource forest full control permissions on the template* 4* Confi+ure copied template to be issued b( a C% in the resource forest* 7* Cop( Resource C% ob;ect to the account forest* /f this is the first time this C% has been copied to the account forest# complete the steps outlined in sections Publishing !oot Certificate into Account "orest and Publishing Issuing CA Certificate to the N%Auth Certificate Store*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e %A -cn 7y%A -#

2<

8* Cop( the template bac' from resource forest to the account forest*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e Te& late -cn %usto&S&art%ardAccount -#

:* Remove the template from the list of issued templates in the account forest C%* Consolidating Te$plate 'ith i$ilar Purposes Situation- 8oth account and resource forests have templates setup that ma( have different names# but serve the same purpose for the users in their forests* 9or e&ample# there are templates for the email si+nin+* .hese templates ma( or ma( not have identical settin+s* .here are several wa(s to consolidate these templates and each has advanta+es and disadvanta+es* Continue issue certificate based on both templates @ %n administrator can ;ust follow the steps described in section Continue Issuing a %emplate in the !esource "orest above* .he advanta+e of this approach is that users in the account forest will continue usin+ their e&istin+ certificates and renew them at the same rate as before* .he disadvanta+e is that administrators still have to mana+e two separate templates instead of one* Supersede template in the account forest with a template in the resource forest @ %n administrator should follow these steps to achieve this 0* Cop( a template from the account forest to the resource forest*
)\P2ISync) s* -source#orest account)contoso)co& -target#orest resource)contoso)co& -ty e Te& late -cn ToBeSu erseded

2* Cop( all 6id ob;ects from the %ccount forest to the Resource forest*
)\P2ISync) s* -source#orest account)contoso)co& -target#orest resource)contoso)co& -ty e 8id -#

"* Supersede the account forest template with the correspondin+ template in the resource forest* <* Confi+ure securit( settin+ on the resource forest template to include users from the account forest* 21

1* Cop( the resource forest template to the account forest*

)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e Te& late -cn Su ersedingTe& late

4* Cop( resource C% ob;ect to the account forest* /f this is the first time this C% has been copied to the account forest# complete the steps outlined in sections Publishing !oot Certificate into Account "orest and Publishing Issuing CA Certificate to the N%Auth Certificate Store*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e %A -cn 7y%A -#

7* Cop( all 6id ob;ects from the account forest to the resource forest*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e 8id -#

.he advanta+e of this approach is that there is onl( one template that is used across the enterprise* .he disadvanta+e is that the consolidation steps are the most complicated out of all the options and when consolidation is complete all users in the account forest will reenroll ,if autoenrollment is used- for the new template simultaneousl( which ma( cause a spi'e of the networ' activit( and of the number of the re2uests +oin+ to the C% in the resource forest* Issue certificates based on the template in the resource forest only @ %n administrator can simpl( stop issuin+ certificates based on the template in the account forest* %dd users from the account forest to the template in the resource forest and ma'e it available in the account forest* .he advanta+e of this approach is that the consolidation process is ver( simple and there is onl( one template used across the enterprise* .he disadvanta+es is that for some time users in the account forest will have multiple valid certificates for the same purposes which ma( create user confusion when the( have to choose one to be used in an application* Consolidating (ersion ) and (ersion * Default Te$plates Situation- 8oth account and resource forests have the Wor'station template deplo(ed* !urin+ the consolidation the administrator would li'e to continue issuin+ certificates for the computers in the domain*

24

Since renamin+ a default template is not supported# the administrator should create new template that will supersede Wor'station template and use that template in both forests* .he administrator should follow these steps* 0* Create new template in the resource forest b( duplicatin+ a Wor'station template# for e&ample 5ewWor'station* 2* Supersede Wor'station template b( 5ewWor'station template* "* %dd a template to be issued b( a C% in the resource forest* <* Remove Wor'station template from an( C% that currentl( issues it in both resource and account forests* 1* Cop( resource forest template to the account forest*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e Te& late -cn Ne,;or<station

4* Cop( resource C% ob;ect to the account forest* /f this is the first time this C% has been copied to the account forest# complete the steps outlined in sections Publishing !oot Certificate into Account "orest and Publishing Issuing CA Certificate to the N%Auth Certificate Store*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e %A -cn 7y%A -#

7* Cop( all 6id ob;ects from the %ccount forest to the Resource forest*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e 8id -#

Must as in previous section# the option of ;ust issuin+ certificates based on the template in the resource forest and stoppin+ issuance of certificates based on the template in the account forest is available* Consolidating (ersion + Te$plates /f a )ersion 0 template is bein+ used in both account and resource forests# the administrator should follow this procedure to consolidate 0* Remove the template from the list of issued templates in the account forest C%*

27

2* Confi+ure securit( settin+ on the resource forest template to include users from the account forest* "* Cop( resource C% ob;ect to the account forest* /f this is the first time this C% has been copied to the account forest# complete the steps outlined in sections Publishing !oot Certificate into Account "orest and Publishing Issuing CA Certificate to the N%Auth Certificate Store*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e %A -cn 7y%A -#

8* Cop( resource forest template to the account forest to update the securit( settin+s*
)\P2ISync) s* -source#orest resource)contoso)co& -target#orest account)contoso)co& -ty e Te& late -cn =ser -#

Decommission Account "orest CAs .he eventual +oal for cross-forest certificate enrollment is to decrease the number of C%s deplo(ed in the enterprise* 6nce all certificate templates have been consolidated and a C% in an account forest is not issuin+ an( certificates# the C% can be decommissioned* .he steps to decommission a C% are documented in the C% Maintenance - http AA+o*microsoft*comAfwlin'ABCin'/dD0"802"* Gowever# it ma( be easier to 'eep the C% deplo(ed until its certificate e&pires and continue issuin+ CRCs at re+ular intervals* .his will eliminate the need to revo'e all issued certificates and will allow them to be used until the( are e&pired*

Cross(forest Certificate Enrollment 2onitoring

%s described in section Copying ADCS #b.ects from the !esource "orest into the Account "orest# there are a number of events that re2uire the %!CS ob;ects to be s(nchroni>ed between a resource and an account forests* %ll of those events are a product of some administrative tas' so it is possible for the administrator to simpl( remember to update the account forests each time she ma'es a chan+e in the resource forest* %s humans are prone to error and can for+et to do this# it is recommended to monitor the consistenc( of C% ob;ects# certificate templates and 6/!s between the resource forest and the account forest or to schedule an update at a re+ular interval* 28

.he duplicated %!CS ob;ects in an account forest should alwa(s be an e&act cop( of the ori+inals in the resource forest* .he followin+ sections described different strate+ies to monitor crossforest enrollment environment to ma'e sure the %!CS ob;ects are consistent between resource and account forests*

Scheduled 3pdates
.he simplest solution to ma'e sure that %!CS ob;ects in %ctive !irector( are s(nchroni>ed between resource and account forests is to schedule an e&ecution of the script provided in this white paper to update all ob;ect t(pes on the re+ular basis* /n most %!CS deplo(ments chan+es to certificate templates or C% confi+uration happen infre2uentl(* %lso# chan+es in %ctive !irector( are not instantaneous due to replication dela(s so there is no e&pectation of real time updates* Runnin+ the script dail( would provide +ood enou+h level of consistenc( in most scenarios* 9or deplo(ments that re2uire faster updates the followin+ sections provide alternatives that can allow those re2uirements to be met# but would re2uire more comple& mana+ement procedures or use of other tools*

2onitoring CA E$ents
Windows Server 2008 R2 has alread( a set of events that can be used as a si+nal that the %!CS ob;ects should be updated in the account forest* .he events ,detailed below- can be consumed b( monitorin+ tools li'e S(stem Center 6peration Mana+er ,http AA+o*microsoft*comAfwlin'ABCin'/!D02<"14-* When an( of those events are received a monitorin+ solution ma( notif( the administrator of the status or even schedule an e&ecution of the scripts provided in this white paper to update the account forest* When usin+ these events the administrator should consider the followin+ facts 0* %n( of the events below ma( be an indication that the data should copied from resource forest to the account forest* 2* Some of these events ma( be a false positive# for e&ample the C% startup event* Gowever# since none of those events should be occurrin+ fre2uentl( updatin+ %!CS ob;ects in response to those events should not create an e&cessive overhead to the %! traffic* "* .he events <8:2 and <8:: will not be lo++ed until a re2uest is received for the specific certificate template* .his means that if 2:

re2uest comes from a user in the account forest# the template that was used b( the client ma( alread( be out of date and C% will re;ect the re2uest* .he list of the events is as follows 4og Name Source E$ent Id %as& Category 4e$el Descriptio n %pplication Microsoft-Windows-Certification%uthorit( 24 5one /nformation %ctive !irector( Certificate Services for N0 was started* N2

4og Name Source E$ent Id %as& Category 4e$el Descriptio n

Securit( Microsoft-Windows-Securit(-%uditin+ <882 Certification Services /nformation .he securit( permissions for Certificate Services chan+ed* N0

4og Name Source E$ent Id %as& Category 4e$el

Securit( Microsoft-Windows-Securit(-%uditin+ <8:2 Certification Services /nformation "0

Descriptio n

Certificate Services loaded a template* N0

4og Name Source E$ent Id %as& Category 4e$el Descriptio n

Securit( Microsoft-Windows-Securit(-%uditin+ <8:: Certification Services /nformation % Certificate Services template was updated* N0

4og Name Source E$ent Id %as& Category 4e$el Descriptio n

Securit( Microsoft-Windows-Securit(-%uditin+ <8:2 Certification Services /nformation % propert( of Certificate Services chan+ed* N0

.he C% startup event 24 is lo++ed b( default* Gowever to +et the rest of the events the followin+ confi+uration steps must be completed b( the C% administrator 0* Enable 6b;ect %ccess A Success %uditin+ in the C% machine?s local securit( polic(* a* Start mmc0exe "0

b* %dd snapin K3roup Polic( 6b;ect EditorL and select Cocal Computer +roup polic( ob;ect* c* =nder the path Computer Confi+urationOWindows Settin+sOSecurit( Settin+sOCocal PoliciesO%udit Polic( enable success auditin+ for 6b;ect %ccess* 2* Enable auditin+ on the C% a* 6pen C% Mana+ement snapin* b* 6pen C% properties dialo+* c* 6n the %uditin+ tab chec' Chan+e C% confi+uration and Chan+e C% securit( settin+s options* %ll C%s that issue certificates to another forest should be monitored if this approach is used* /f (ou?re e&periencin+ problems appl(in+ auditin+ polic(# see http AAsupport*microsoft*comA'bA:20<48 for a possible wor'around*

3sing Acti$e Directory %ools

Currentl( Microsoft is not providin+ a dedicated monitorin+ solution to compare the %ctive !irector( ob;ects specificall( re2uired for crossforest enrollment* Gowever# it is acceptable to use +eneral purpose director( monitorin+ and replication tools to achieve data consistenc( between two forests* 9or e&ample the S(nchroni>ation En+ine of the Microsoft /dentit( Cifec(cle Mana+er ,http AA+o*microsoft*comAfwlin'AB Cin'/dD0"802<-* /f such tool is used# the containers described in section Copying ADCS #b.ects from the !esource "orest into the Account "orest should be s(nchroni>ed*

3sing Acti$e Directory APIs

Microsoft provides a rich set of %P/s that allows listenin+ for chan+e notifications in active director(* .hese %P/s can be used to develop custom solutions if needed* 9or more information see Ci+htwei+ht !irector( %ccess Protocol ,http AA+o*microsoft*comAfwlin'AB Cin'/dD0"8021- and S(stem*!irector(Services*Protocols 5amespace ,http AA+o*microsoft*comAfwlin'ABCin'/dD0"8024-*

Considerations for 3sing Certificate )eb Enrollment Pages

.he followin+ table shows the supportabilit( matri& for the certificate enrollment across different forest with C% Web Pa+es CA "orest )eb Pages Same Delegation Supported "2

"orest Resource Resource Resource Resource Resource Resource Resource Resource %ccount %ccount

2achine Pes 5o 5o 5o 5o 5A% Computer Constrained Computer Contained Pes Pes Pes Pes 5o

Cross(forest CA troubleshooting
.he followin+ section provides solution to some common problems that an administrator ma( run into while confi+urin+ cross-forest certificate enrollment*

'uild(in templates ha$e been accidentally deleted

/f the build-in templates or 6/!s have been accidentall( deleted from %ctive !irector(# the followin+ command can be used to recreate the certificate templates to its initial state
certutil)e9e -InstallDe#aultTe& lates

Note- Resettin+ the certificate templates will recreate missin+ templates and 6/!s with the default confi+uration and default access control lists* /f the default templates had custom access control lists or properties had chan+ed before deletion it is re2uired to read;ust these settin+s after rebuildin+ the certificate templates and 6/!s* /n case of autoenrollment is in use# a reset of certificate templates ma( have a side effect on the enrollment behavior* .he autoenrollment code ta'es the ma;or and minor number from the certificate template and an autoenrolled certificate into account* /f an Enterprise administrator decides to force a re-enrollment of all automaticall( enrolled certificates it is necessar( that the ma;or number of the certificate template is +reater than the ma;or number in the automaticall( enrolled certificates* /n case of a re-created certificate template# the ma;or number of the certificate template ma( still be lower than the ma;or number in the certificate* .o wor' around this issue# the Enterprise %dministrator has to repeat the enforced autoenrollment for a recreated certificate as man( times until the ma;or number in the ""

certificate template is +reater than the ma;or number in the previousl( automaticall( enrolled certificates*

ADCS AD containers are missing

/f for some reason there are no containers under Public $e( Services container in %!# (ou can recreate those containers b( runnin+
certutil)e9e -InstallDe#aultTe& lates

Note- .his will also create default templates under Certificate .emplates container*

3nreachable CA
When (ou e&port a C% certificate from a remote Windows 200" C%# (ou receive this error from certutil*e&e
%ert=til. - ing co&&and FAILED. >9?>>@>A+a B;INCD. *@DDE %ert=til. T'e RP% ser!er is una!aila+le)

or
%ert=til. - ing co&&and FAILED. >9?>>@>>>F B;INCD. FE %ert=til. Access is denied)

Ma'e sure that a user that is e&ecutin+ the -ca*cert command is a part of the CER.S)CQ!C6MQ%CCESS +roup on the C%*

Synchroni5ation Issues
)arious issues can be caused b( problems with cop(in+ %!CS ob;ects across different forests* 9or e&ample# clients in the account forest ma( not see the template that should be available to them or C% ma( re;ect client?s re2uest indicatin+ that a version of the template is less than what C% is currentl( usin+* .o dia+nose these t(pes of issues# administrator needs to ma'e sure that %!CS ob;ects in %ctive !irector( e&ist in both forests and have the same attribute values* .o output current contents of the stores in %! into a te&t file# use certutil*e&e -store command with C!%P paths provided in sections Publishing !oot Certificate into Account "orest# Publishing Issuing CA Certificate to the N%Auth Certificate Store # and Publishing Issuing CA Certificates into Account "orest * .o list all of the %!CS ob;ects in %!# use the J-whatif? switch of the P$/S(nc*ps0 script* 9or e&ample# (ou can tell which ob;ect don?t e&ist in account forest b( simulatin+ cop( of all of the ob;ect t(pes and "<

seein+ which ob;ect don?t produce the warnin+ that J-f? switch should be used to overwrite them* .o output current attribute values of an %!CS ob;ect in %! into a te&t file# use dumpadob;*ps0 script provided in this white paper*

Script ( P/ISync0ps1
Disclaimer- .his script is not supported under an( Microsoft standard support pro+ram or service* .he sample script is provided %S /S without warrant( of an( 'ind* Microsoft further disclaims all implied warranties includin+# without limitation# an( implied warranties of merchantabilit( or of fitness for a particular purpose* .he entire ris' arisin+ out of the use or performance of the sample script and documentation remains with (ou* /n no event shall Microsoft# its authors# or an(one else involved in the creation# production# or deliver( of the script be liable for an( dama+es whatsoever ,includin+# without limitation# dama+es for loss of business profits# business interruption# loss of business information# or other pecuniar( lossarisin+ out of the use of or inabilit( to use the sample script or documentation# even if Microsoft has been advised of the possibilit( of such dama+es* .o use the script# cop( all of the te&t below into the file P$/S(nc*ps0 and e&ecute it in Windows PowerShell* .his script must be e&ecuted tar+etin+ a !C in the root domains of a resource and account %! forests* .ar+etin+ a !C in a child domain# e&plicitl( or b( omittin+ -tar+etdc or -sourcedc options# ma( result in an undefined and therefore unsupported behavior*
G G T'is scri t allo,s u dating P2I o+4ects in Acti!e Directory #or t'e G cross-#orest certi#icate enroll&ent G G G %o&&and line !aria+les G HSourceForestNa&e 0 -HTargetForestNa&e 0 -HSourceD% 0 -HTargetD% 0 -H8+4ectTy e 0 -allH8+4ect%N 0 Hnull HDryRun 0 HFALSE HDelete8nly 0 HFALSE H8!er;rite 0 HFALSE

"1

#unction Parse%o&&andLineBE I i# BD -gt HScri t.args)%ountE I ,rite-,arning -Not enoug' argu&ents=sage e9it ?@ J #orBHi 0 >K Hi -lt HScri t.args)%ountK Hi++E I s,itc'BHScri t.args5Hi6)ToLo,erBEE I -source#orest I Hi++ HScri t.SourceForestNa&e 0 HScri t.args5Hi6 J -target#orest I Hi++ HScri t.TargetForestNa&e 0 HScri t.args5Hi6 J -cn I Hi++ HScri t.8+4ect%N 0 HScri t.args5Hi6 J -ty e I Hi++ HScri t.8+4ectTy e 0 HScri t.args5Hi6)ToLo,erBE J -# I HScri t.8!er;rite 0 HTR=E J -,'ati# I HScri t.DryRun 0 HTR=E J -delete8nly I HScri t.Delete8nly 0 HTR=E J -targetdc I Hi++ HScri t.TargetD% 0 HScri t.args5Hi6 J -sourcedc I Hi++ HScri t.SourceD% 0 HScri t.args5Hi6 J de#ault I ,rite-,arning B-=n<no,n ara&eter. - + HScri t.args5Hi6E =sage e9it ?@ J J J

#unction =sageBE I ,rite-'ost -,rite-'ost -Scri t to co y or delete P2I o+4ects Bde#ault is co yE,rite-'ost --

"4

,rite-'ost - %o y %o&&and.,rite-'ost -,rite-'ost - )\P2ISync) s* -source#orest $SourceForestDNS( -target#orest $TargetForestDNS( 5-sourceD% $SourceD%DNS(6 5-targetD% $TargetD%DNS(6 5-ty e $%AL Te& lateL8ID( 5-cn $8+4ect%N(66 5-#6 5-,'ati#6,rite-'ost -,rite-'ost - Delete %o&&and.,rite-'ost -,rite-'ost - )\P2ISync) s* -target#orest $TargetForestDNS( 5-targetD% $TargetD%DNS(6 5-ty e $%ALTe& lateL8ID( 5-cn $8+4ect%N(66 5-delete8nly6 5-,'ati#6,rite-'ost -,rite-'ost --source#orest -- DNS o# t'e #orest to rocess o+4ect #ro&,rite-'ost --target#orest -- DNS o# t'e #orest to rocess o+4ect to,rite-'ost --sourcedc -- DNS o# t'e D% in t'e source #orest to rocess o+4ect #ro&,rite-'ost --targetdc -- DNS o# t'e D% in t'e target #orest to rocess o+4ect to,rite-'ost --ty e -- Ty e o# o+4ect to rocess1 i# o&itted t'en all o+4ect ty es are rocessed,rite-'ost %A -- Process %A o+4ectBsE,rite-'ost Te& late -- Process Te& late o+4ectBsE,rite-'ost 8ID -- Process 8ID o+4ectBsE,rite-'ost M-cn -- %o&&on na&e o# t'e o+4ect to rocess1 do not include t'e cn0 Bie -=ser- and not -%N0=ser-M ,rite-'ost T'is o tion is only !alid i# -ty e $( is also s eci#ied,rite-'ost --# -- Force o!er,rite o# e9isting o+4ects ,'en co ying) Ignored ,'en deleting),rite-'ost --,'ati# -- Dis lay ,'at o+4ectBsE ,ill +e rocessed ,it'out rocessing,rite-'ost --delete8nly -- ;ill delete o+4ect in t'e target #orest i# it e9ists,rite-'ost -,rite-'ost -J G G Build a list o# attri+utes to co y #or so&e o+4ect ty e G #unction NetSc'e&aSyste&7ay%ontainBHForest%onte9t1 H8+4ectTy eE I G G #irst get all attri+utes t'at are art o# syste&7ay%ontain list G HSc'e&aDE 0 5Syste&)DirectorySer!ices)Acti!eDirectory)Acti!eDirectorySc'e&a%lass6..FindByNa&eBHForest %onte9t1 H8+4ectTy eE)NetDirectoryEntryBE HSyste&7ay%ontain 0 HSc'e&aDE)syste&7ay%ontain G G i# sc'e&a ,as u graded ,it' ad re )e9e1 ,e need to c'ec< &ay%ontain list as ,ell G i#BHnull -ne HSc'e&aDE)&ay%ontainE I H7ay%ontain 0 HSc'e&aDE)&ay%ontain #oreac'BHattr in H7ay%ontainE I HSyste&7ay%ontain)AddBHattrE J J G G s ecial case so&e o# t'e in'erited attri+utes G i# B-* -eO HSyste&7ay%ontain)Inde98#B-dis layNa&e-EE I HSyste&7ay%ontain)AddB-dis layNa&e-E J i# B-* -eO HSyste&7ay%ontain)Inde98#B-#lags-EE I

"7

HSyste&7ay%ontain)AddB-#lags-E J i# BHo+4ectTy e)ToLo,erBE)%ontainsB-te& late-E -and -* -eO HSyste&7ay%ontain)Inde98#B-re!ision-EE I HSyste&7ay%ontain)AddB-re!ision-E J J return HSyste&7ay%ontain

G G %o y or delete all o+4ects o# so&e ty e G #unction ProcessAll8+4ectsBHSourceP2ISer!icesDE1 HTargetP2ISer!icesDE1 HRelati!eDNE I HSource8+4ectsDE 0 HSourceP2ISer!icesDE) s+ase)get_%'ildrenBE)#indBHRelati!eDNE H8+4ect%N 0 Hnull #oreac'BH%'ildNode in HSource8+4ectsDE) s+ase)get_%'ildrenBEE I G i# so&e o+4ect #ailed1 ,e ,ill try to continue ,it' t'e rest tra I G %N &ay+e null 'ere1 +ut its o<) Doing +est e##ort) ,rite-,arning B-Error ,'ile co ing an o+4ect) %N0- + H8+4ect%NE ,rite-,arning H_ ,rite-,arning H_)In!ocationIn#o)Position7essage continue J H8+4ect%N 0 H%'ildNode) s+ase)Pro erties5-cn-6 Process8+4ect HSourceP2ISer!icesDE HTargetP2ISer!icesDE HRelati!eDN H8+4ect%N H8+4ect%N 0 Hnull J J G G %o y or delete an o+4ect G #unction Process8+4ectBHSourceP2ISer!icesDE1 HTargetP2ISer!icesDE1 HRelati!eDN1 H8+4ect%NE I HSource8+4ect%ontainerDE 0 HSourceP2ISer!icesDE) s+ase)get_%'ildrenBE)#indBHRelati!eDNE HTarget8+4ect%ontainerDE 0 HTargetP2ISer!icesDE) s+ase)get_%'ildrenBE)#indBHRelati!eDNE G G ,'en co ying &a<e sure t'ere is an o+4ect to co y G i#BHFALSE -eO HScri t.Delete8nlyE I HDSSearc'er 0 5Syste&)DirectorySer!ices)DirectorySearc'er6 HSource8+4ect%ontainerDE HDSSearc'er)Filter 0 -Bcn0- +H8+4ect%N+-EHSearc'Result 0 HDSSearc'er)FindAllBE i# B> -eO HSearc'Result)%ountE I ,rite-'ost B-Source o+4ect does not e9ist. %N0- + H8+4ect%N + -1- + HRelati!eDNE return J HSource8+4ectDE 0 HSource8+4ect%ontainerDE) s+ase)get_%'ildrenBE)#indB-%N0- + H8+4ect%NE J G G %'ec< to see i# t'e target o+4ect e9ists1 i# it does delete i# o!er,rite is ena+led) G Also delete is t'is a deletion only o eration)

"8

G HDSSearc'er 0 5Syste&)DirectorySer!ices)DirectorySearc'er6HTarget8+4ect%ontainerDE HDSSearc'er)Filter 0 -Bcn0- +H8+4ect%N+-EHSearc'Result 0 HDSSearc'er)FindAllBE i# BHSearc'Result)%ount -gt >E I HTarget8+4ectDE 0 HTarget8+4ect%ontainerDE) s+ase)get_%'ildrenBE)#indB-%N0- + H8+4ect%NE i#BHScri t.Delete8nlyE I ,rite-'ost B-Deleting. - + HTarget8+4ectDE)Distinguis'edNa&eE i#BHFALSE -eO HDryRunE I HTarget8+4ect%ontainerDE) s+ase)get_%'ildrenBE)Re&o!eBHTarget8+4ectDEE J return J elsei# BHScri t.8!er;riteE I ,rite-'ost B-8!er;riting. - + HTarget8+4ectDE)Distinguis'edNa&eE i#BHFALSE -eO HDryRunE I HTarget8+4ect%ontainerDE) s+ase)get_%'ildrenBE)Re&o!eBHTarget8+4ectDEE J J else I ,rite-,arning B-8+4ect e9ists1 use -# o!er,rite) 8+4ect. - + HTarget8+4ectDE)Distinguis'edNa&eE return J J else I i#BHScri t.Delete8nlyE I ,rite-,arning B-%anMt delete o+4ect) 8+4ect doesnMt e9ist) 8+4ect. - + H8+4ect%N + -1 - + HTarget8+4ect%ontainerDE)Distinguis'edNa&eE return J else I ,rite-'ost B-%o ying 8+4ect. - + HSource8+4ectDE)Distinguis'edNa&eE J J G G 8nly u date t'e o+4ect i# t'is is not a dry run G i#BHFALSE -eO HDryRun -and HFALSE -eO HScri t.Delete8nlyE I G%reate ne, AD o+4ect HNe,DE 0 HTarget8+4ect%ontainerDE) s+ase)get_%'ildrenBE)AddB-%N0- + H8+4ect%N1 HSource8+4ectDE) s+ase)Sc'e&a%lassNa&eE G8+tain syste&7ay%ontain #or t'e o+4ect ty e #ro& t'e AD sc'e&a H8+4ect7ay%ontain 0 NetSc'e&aSyste&7ay%ontain HSourceForest%onte9t HSource8+4ectDE) s+ase)Sc'e&a%lassNa&e G%o y attri+utes de#ined in t'e syste&7ay%ontain #or t'e o+4ect ty e #oreac'BHAttri+ute in H8+4ect7ay%ontainE I HAttri+utePalue 0 HSource8+4ectDE) s+ase)Pro erties5HAttri+ute6)Palue i# BHnull -ne HAttri+utePalueE I HNe,DE) s+ase)Pro erties5HAttri+ute6)Palue 0 HAttri+utePalue HNe,DE) s+ase)%o&&it%'angesBE J J G%o y secuirty descri tor to ne, o+4ect) 8nly DA%L is co ied)

":

HBinarySecurityDescri tor 0 HSource8+4ectDE) s+ase)8+4ectSecurity)NetSecurityDescri torBinaryFor&BE HNe,DE) s+ase)8+4ectSecurity)SetSecurityDescri torBinaryFor&BHBinarySecurityDescri tor1 5Syste&)Security)Access%ontrol)Access%ontrolSections6..AccessE HNe,DE) s+ase)%o&&it%'angesBE J J G G Net arent container #or all P2I o+4ects in t'e AD G #unction NetP2ISer!ices%ontainerB5Syste&)DirectorySer!ices)Acti!eDirectory)Directory%onte9t6 HForest%onte9t1 HdcNa&eE I HFor8+4 0 5Syste&)DirectorySer!ices)Acti!eDirectory)Forest6..NetForestBHForest%onte9tE HDE 0 HFor8+4)RootDo&ain)NetDirectoryEntryBE i#B-- -ne HdcNa&eE I Hne,Pat' 0 5Syste&)Te9t)RegularE9 ressions)Rege96..Re laceBHDE) s+ase)Pat'1 -LDAP.//\SQ/-1 -LDAP.//- + HdcNa&e + -/-E HDE 0 Ne,-8+4ect Syste&)DirectorySer!ices)DirectoryEntry Hne,Pat' J HP2ISer!ices%ontainer 0 HDE) s+ase)get_%'ildrenBE)#indB-%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration-E return HP2ISer!ices%ontainer J GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G 7ain scri t code GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G G All errors are #atal +y de#ault unless t'ere is anot'er Mtra M ,it' McontinueM G tra I ,rite-error -T'e scri t 'as encoutnered a #atal error) Ter&inating scri t)+rea< J Parse%o&&andLine G G Net a 'old o# t'e containers in eac' #orest G ,rite-'ost B-Target Forest. - + HTargetForestNa&e)To= erBEE HTargetForest%onte9t 0 Ne,-8+4ect Syste&)DirectorySer!ices)Acti!eDirectory)Directory%onte9t Forest1 HTargetForestNa&e HTargetP2ISer!icesDE 0 NetP2ISer!ices%ontainer HTargetForest%onte9t HScri t.TargetD% G 8nly need source #orest ,'en co ying i#BHFALSE -eO HScri t.Delete8nlyE I ,rite-'ost B-Source Forest. - + HSourceForestNa&e)To= erBEE HSourceForest%onte9t 0 Ne,-8+4ect Syste&)DirectorySer!ices)Acti!eDirectory)Directory%onte9t Forest1 HSourceForestNa&e HSourceP2ISer!icesDE 0 NetP2ISer!ices%ontainer HSourceForest%onte9t HScri t.SourceD% J else I HSourceP2ISer!icesDE 0 HTargetP2ISer!icesDE J i#B-- -ne H8+4ectTy eE I,rite-'ost B-8+4ect %ategory to H8+4ectTy e)To= erBEEJ rocess. - +

<0

G G Process t'e co&&and G s,itc'BH8+4ectTy e)ToLo,erBEE I all I ,rite-'ost B-Enroll&ent Ser!erices %ontainer-E ProcessAll8+4ects HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N0Enroll&ent Ser!ices,rite-'ost B-%erti#icate Te& lates %ontainer-E ProcessAll8+4ects HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N0%erti#icate Te& lates,rite-'ost B-8ID %ontainer-E ProcessAll8+4ects HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N08IDJ ca I i#BHnull -eO H8+4ect%NE I ProcessAll8+4ects HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N0Enroll&ent Ser!icesJ else I Process8+4ect HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N0Enroll&ent Ser!ices- H8+4ect%N J J oid I i#BHnull -eO H8+4ect%NE I ProcessAll8+4ects HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N08IDJ else I Process8+4ect HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N08ID- H8+4ect%N J J te& late I i#BHnull -eO H8+4ect%NE I ProcessAll8+4ects HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N0%erti#icate Te& latesJ else I Process8+4ect HSourceP2ISer!icesDE HTargetP2ISer!icesDE -%N0%erti#icate Te& lates- H8+4ect%N J J de#ault I ,rite-,arning B-=n<no,n o+4ect ty e. - + H8+4ectTy e)ToLo,erBEE =sage e9it ?@ J J

Script ( dumpadob.0ps1
Disclaimer- .his script is not supported under an( Microsoft standard support pro+ram or service* .he sample script is provided %S /S without warrant( of an( 'ind* Microsoft further disclaims all implied <0

warranties includin+# without limitation# an( implied warranties of merchantabilit( or of fitness for a particular purpose* .he entire ris' arisin+ out of the use or performance of the sample script and documentation remains with (ou* /n no event shall Microsoft# its authors# or an(one else involved in the creation# production# or deliver( of the script be liable for an( dama+es whatsoever ,includin+# without limitation# dama+es for loss of business profits# business interruption# loss of business information# or other pecuniar( lossarisin+ out of the use of or inabilit( to use the sample script or documentation# even if Microsoft has been advised of the possibilit( of such dama+es* .his script uses ldifde*e&e to output current attribute values of a P$/ ob;ect in %ctive !irector(* =se this script to compare same ob;ects located in different forests* 5ote that this script must be e&ecuted on the computer that has ldifde*e&e tool available* .he ldifde*e&e is a tool that ships in Windows# but ma( re2uire %dmin Pac' or Remote Mana+ement tools to be installed on some versions*
G G T'is scri t du& s certi#icate te& late/%A in#or&ation using ldi#de)e9e G G G %o&&and line argu&ents G HForestNa&e 0 -HD%Na&e 0 -H8+4ectTy e 0 -H8+4ectNa&e 0 -H8utFile 0 -#unction Parse%o&&andLineBE I i# B*> -gt HScri t.args)%ountE I ,rite-,arning -Not enoug' argu&ents=sage e9it ?@ J #orBHi 0 >K Hi -lt HScri t.args)%ountK Hi++E I s,itc'BHScri t.args5Hi6)ToLo,erBEE I -#orest I Hi++ HScri t.ForestNa&e 0 HScri t.args5Hi6 J -dc I Hi++ HScri t.D%Na&e 0 HScri t.args5Hi6 J -ty e I

<2

Hi++ HScri t.8+4ectTy e 0 HScri t.args5Hi6 J -cn I

J J J

J -#ile I Hi++ HScri t.8utFile 0 HScri t.args5Hi6 J de#ault I ,rite-,arning B-=n<no,n ara&eter. - + HScri t.args5Hi6E =sage e9it ?@ J

Hi++ HScri t.8+4ectNa&e 0 HScri t.args5Hi6

#unction =sageBE I ,rite-'ost -,rite-'ost -Scri t to attri+utes !alue o# certi#icate te& late or %A o+4ect in AD,rite-'ost -,rite-'ost -du& ado+4) s* -#orest $DNS na&e( -dc $D% na&e( -ty e $te& lateL%A( -cn $Na&e( -#ile $out ut #ile(,rite-'ost -,rite-'ost --#orest -- DNS o# t'e #orest to rocess o+4ect #ro&,rite-'ost --dc -- DNS or NetBios na&e o# t'e D% to target,rite-'ost --ty e -- Te& late or %A,rite-'ost --cn -- Te& late or %A na&e,rite-'ost --#ile -- 8ut ut #ile,rite-'ost -J GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G 7ain scri t code GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG G G All errors are #atal +y de#ault unless t'ere is anoter Mtra M ,it' McontinueM G tra I ,rite-error -T'e scri t 'as encountered a #atal error) Ter&inating scri t)+rea< J Parse%o&&andLine ,rite-'ost ,rite-'ost ,rite-'ost ,rite-'ost ,rite-'ost ,rite-'ost ,rite-'ost ,rite-'ost ,rite-'ost --E##ecti!e -- Forest. D%. Ty e. Na&e. File. -settings.HForestNa&eHD%Na&eH8+4ectTy eH8+4ectNa&eH8utFile-

G G Set ty e s eci#ic !aria+les G s,itc'BH8+4ectTy e)ToLo,erBEE I -te& late-

<"

I J -caI

H8+4ect%ontainer%N 0 -1%N0%erti#icate Te& latesH8+4ectSc'e&a 0 - 2I%erti#icateTe& late-

H8+4ect%ontainer%N 0 -1%N0Enroll&ent Ser!icesH8+4ectSc'e&a 0 - 2IEnroll&entSer!iceJ de#ault I ,rite-,arning B-=n<no,n o+4ect ty e. - + H8+4ectTy eE =sage e9it ?@ J

G G Build #ull DN #or t'e o+4ect G HForestDN 0 -D%0- + HForestNa&e)Re laceB-)-1 -1D%0-E H8+4ectFullDN 0 -%N0- + H8+4ectNa&e + H8+4ect%ontainer%N + -1%N0Pu+lic 2ey Ser!ices1%N0Ser!ices1%N0%on#iguration1- + HForestDN G G Build list o# attri+utes to dis lay G HForest%onte9t 0 Ne,-8+4ect Syste&)DirectorySer!ices)Acti!eDirectory)Directory%onte9t Forest1 HForestNa&e HSc'e&aDE 0 5Syste&)DirectorySer!ices)Acti!eDirectory)Acti!eDirectorySc'e&a%lass6..FindByNa&eBHForest %onte9t1 H8+4ectSc'e&aE)NetDirectoryEntryBE HAttrList 0 HSc'e&aDE)syste&7ay%ontain i#BHnull -ne HSc'e&aDE)&ay%ontainE I H7ay%ontain 0 HSc'e&aDE)&ay%ontain #oreac'BHattr in H7ay%ontainE I 5!oid6HAttrList)AddBHattrE J J i# B-* -eO HAttrList)Inde98#B-dis layNa&e-EE I 5!oid6HAttrList)AddB-dis layNa&e-E J i# B-* -eO HAttrList)Inde98#B-#lags-EE I 5!oid6HAttrList)AddB-#lags-E J i# BH8+4ectTy e)ToLo,erBE)EOualsB-te& late-E -and -* -eO HAttrList)Inde98#B-re!ision-EE I 5!oid6HAttrList)AddB-re!ision-E J HSB 0 Ne,-8+4ect Syste&)Te9t)StringBuilder #orBHi 0 >K Hi -lt HAttrList)%ountK Hi++E I 5!oid6HSB)A endBHAttrList5Hi6E i#BHi -lt BHAttrList)%ount - *EE I 5!oid6HSB)A endB-1-E J J HAttrListString 0 HSB)ToStringBE G

<<

G Build co&&and line and e9ecute G H%o&&andLine 0 --d --- + H8+4ectFullDN + --- - Base -l --- + HAttrListString + --- -# --- + H8utFile + --- -s - + HD%Na&e In!o<e-E9 ression -ldi#de)e9e H%o&&andLine- ( ldi#de)out)t9t ty e -H8utFile-

<1

<4