Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract
Windows Server 2008 R2 allows enterprises to issue digital certificates from an enterprise Certification Authority (CA) to the clients that are members of a different Active Directory Domain Services (AD DS) forest. This process is called cross-forest certificate enrollment. This white paper will explain how the cross-forest certificate enrollment works. It will also provide deployment guidance for new and existing Active Directory Certificate Services (AD CS) deployments. The paper will cover strategies for consolidating existing certificate templates that may be already in use in the enterprise. It will present choices for ongoing management of the cross-forest certificates deployment. A PowerShell script is also provided to facilitate management tasks related to setting up and maintaining cross-forest certificate enrollment environment.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Active Directory, Microsoft, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 ................................... 4 Technical requirements ................................................................................................................ 4 Terms used in this guide .............................................................................................................. 4 New AD CS deployments for cross-forest certificate enrollment ................................................. 5 Consolidated AD CS deployments for cross-forest certificate enrollment ................................... 6 AD CS: Deploying Cross-forest Certificate Enrollment ................................................................... 8 Deploying AD CS for cross-forest certificate enrollment .............................................................. 9 Consolidating certificate templates from multiple forests ........................................................... 11 Copying account forest certificate templates into the resource forest .................................... 11 Consolidating certificate templates with similar purposes from multiple account forests ....... 13 Consolidating version 2 and version 3 default certificate templates ....................................... 15 Consolidating version 1 default certificate templates ............................................................. 16 Copying PKI objects to account forests ..................................................................................... 17 Support for CA Web Enrollment ................................................................................................. 18 Decommissioning CAs in account forests .................................................................................. 18 AD CS: Managing Cross-forest Certificate Enrollment.................................................................. 19 Using a scheduled task .............................................................................................................. 19 Monitoring AD CS events ........................................................................................................... 19 Using automation ....................................................................................................................... 20 AD CS: Troubleshooting Cross-forest Certificate Enrollment ....................................................... 21 PKI object synchronization issues .............................................................................................. 21 Public key containers or default certificate templates deleted ................................................... 22 Certutil connection errors when connecting to a CA .................................................................. 22 AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment ............................................. 22 Saving PKISync.ps1 ................................................................................................................... 22 Subsection Heading ................................................................................................................ 36 AD CS: DumpADObj.ps1 Script for Cross-forest Certificate Enrollment ....................................... 36 Saving DumpADObj.ps1 ............................................................................................................ 36 Online Version ............................................................................................................................... 42
Technical requirements
Two-way forest trusts between a resource forest and account forests. One or more enterprise CAs running on Windows Server 2008 R2. Domain member computers in all forests running the following operating systems: Windows XP Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2
Fig 1. Example multiforest deployment without AD CS Because AD CS in Windows Server 2008 R2 supports cross-forest certificate enrollment, Contoso Ltd can deploy AD CS in one forest that enables certificate enrollment from domain members in all forests. Figure 2 illustrates a two-tier PKI in Forest A which allows domain members from all forests to enroll for certificates from the enterprise CA in Forest A.
Fig 2. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment
Fig 3. Example multiforest enterprise with per-forest AD CS deployment With the availability of Windows Server 2008 R2, it is possible to consolidate multiple per-forest AD CS deployments into a single AD CS deployment that enables certificate enrollment from domain members in all forests. By using fewer CAs, Contoso can lower total PKI management costs.
Fig 4. Example multiforest deployment with enterprise CA providing cross-forest certificate enrollment.
Consolidating certificate templates from multiple forests describes procedures for consolidating certificate templates from multiple per-forest AD CS deployments into a single PKI. Consolidation tasks are not required for new AD CS deployments. Copying PKI objects to account forests describes procedures and scripts for copying PKI objects from AD in the resource forest to account forests. The procedures described for copying PKI objects to account forests are required for new AD CS deployments and consolidated deployments. After deployment, the procedures for copying PKI objects can be used to distribute certificate templates from the resource forest to the account forests, which is necessary to maintain consistency of PKI objects in all forests.
scripts are run on a domain member computer in the resource forest, the administrator must have Allow authenticate permissions in each account forest. 3. Establish a root CA in the resource forest by deploying a new root CA or by designating an existing standalone or enterprise root CA. 4. Install or upgrade one or more enterprise CAs running on Windows Server 2008 R2 in the resource forest. Notes Depending on your environment, the degree to which you are using existing PKI resources, and your level of experience with AD CS, the following references might be helpful for planning a new AD CS deployment or migrating existing AD CS deployments to Windows Server 2008 R2. AD CS Advanced Lab Scenario Active Directory Certificate Services Migration Guide
5. Enable LDAP referral support on enterprise CAs. Start a command prompt, type certutil setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS, and press ENTER. 6. Add enterprise CA computer accounts to Cert Publishers group in each account forest. See example procedures at Add a member to a group. Restart the CA by using net stop certsvc && net start certsvc. 7. Configure authority information access and CRL distribution point locations. See Specify CA certificate access points in issued certificates. In addition to specifying the access point locations in certificate templates, you must ensure that the network locations specified in certificates are online and are accessible from domain members in all resource forests. The locations can be either LDAP or HTTP depending on your certificate template configuration. See Configuring Certificate Revocation. 8. Publish the root CA certificate from the resource forest to the account forests by using Certutil.exe at a command prompt to run the following commands: a. certutil -config <Computer-Name>\<Root-CA-Name> -ca.cert <root-ca-certfilename.cer> If you run the command on the root CA you can omit the connection information, -config <Computer-Name>\<Root-CA-Name>. b. certutil -dspublish -f <root-ca-cert-filename.cer> RootCA 9. Publish enterprise CA certificates from the resource forest into the NTAuthCertificates and AIA containers in each account forest. a. certutil -config <Computer-Name>\<Enterprise-CA-Name> -ca.cert <enterprise-cacert-filename.cer> b. certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAuthCA c. certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA Next, you must prepare certificate templates for the certificates required by domain member computers and users in all forests. If you are performing a new AD CS deployment, the default certificate templates in the resource forest can be used or custom templates can be created to meet your requirements. 10
Review the list of Default certificate templates. Creating custom certificate templates requires that you have the required information and technical understanding to configure all required certificate template properties. For more information, To use the default certificate templates in the resource forest, skip the section on Consolidating certificate templates and continue at Copying PKI objects to account forests. To customize the default certificate templates, see Creating Certificate Templates. Continue at Copying PKI objects to account forests after you are finished customizing the certificate templates in the resource forest. If you are consolidating AD CS from multiple forests that have custom certificate templates which you must continue to use, then review the next section, Consolidating certificate templates from multiple forests, and complete the procedures that best meet your requirements.
The procedures described in this section require the Windows Powershell script PKISync.ps1. Complete the procedure To Save PKISync.ps1 to a file.
11
AD CS to issue certificates from the resource forest. Because all certificate templates remain available, the rate of certificate enrollment remains steady and there is no impact to users. This method reduces the number of CAs in the enterprise but the resource forest might have multiple certificate templates for some types of certificates; for example, if certificate templates for S/MIME certificates are copied from multiple account forests into the resource forest. Complete the procedures from a domain member computer that has access to the resource and account forests. Log on using an account with permissions to update AD objects in resource and account forests. Members of Domain Admins and Enterprise Admins group have the required permissions. The procedure must be completed for each certificate template you want to copy into the resource forest. You cannot copy multiple certificate templates simultaneously. To copy certificate templates from an account forest to the resource forest 1. Start Windows Powershell. Change the current directory to the location of the PKISync.ps1 script. 2. Copy the certificate template from the account forest by using the command .\PKISync.ps1 -sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Template -cn <certificate template common name>. Note If a certificate template in the resource forest has the same name as the certificate template you want to copy from the account forest, you must rename the certificate template in the account forest before copying the template to the resource forest. See Rename a Certificate Template. 3. Copy the OID container from the account forest by using the command .\PKISync.ps1 -sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Oid f and press ENTER. 4. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organizations security policy. See the Security Tab section of Extensions Tab. 5. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The access control list defined on the certificate template in the account forest is preserved during the copy operation, but you should verify permissions are correct and grant permissions to additional users in other account forests as needed. See the Security Tab section of Administering Certificate Templates. 6. Publish the root CA certificate from the account forest to the resource forest by using Certutil.exe at a command prompt to run the following commands: a. certutil -config <Computer-Name>\<Account-Forest-Root-CA-Name> -ca.cert <root-ca-cert-filename.cer> If you are logged on to the CA you can omit the connection information, -config 12
<Computer-Name>\<Root-CA-Name> to connect to the local CA. b. certutil -dspublish -f <root-ca-cert-filename.cer> RootCA 7. Publish enterprise CA certificates from the account forest into the NTAuthCertificates and AIA containers in the resource forest. a. certutil -config <Computer-Name>\<Account-Forest-Enterprise-CA-Name> ca.cert <enterprise-ca-cert-filename.cer> b. certutil -dspublish -f <enterprise-ca-cert-filename.cer> NTAuthCA c. certutil -dspublish -f <enterprise-ca-cert-filename.cer> SubCA Note Steps 6 and 7 are required because renewal requests can be signed by certificates issued by CAs in the account forests. The CA certificates from the account forests are required for issued certificates from account forests to be valid in the resource forest. 8. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 9. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. 10. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 11. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.
Consolidating certificate templates with similar purposes from multiple account forests
Instead of combining certificate templates from all account forests and managing redundant certificate templates (as described in the previous section), you can minimize the number of certificate templates in the resource forest by reviewing the certificate templates issued in each account forest based on cryptographic purpose and certificate template properties. Define a set of certificate templates for the resource forest that can replace all certificate templates in the account forests. When consolidating certificate templates from multiple account forests into a single set of templates in the resource forest, two approaches are available. 1. Stop issuing certificates in account forests by removing all certificate templates from account forest CAs, and publish certificate templates in the resource forest for all certificate types required in the account forests. Because certificates issued in the account forest remain valid until they expire, this method does not cause a spike in certificate enrollment and has low 13
user impact. However, until existing certificates issued by the account forest expire, two valid certificates for the same purpose are found in a users certificate store which might result in a user prompt for certificate selection and possibly increased help desk calls. Additionally, you must continue to publish CRLs and CA certificates for the account forest PKI. 2. Publish certificate templates in the resource forest which supersede certificate templates in account forests, and force immediate reenrollment. This method causes a spike in certificate enrollment because all domain members will enroll for the new certificate within a short period of time. However, AD CS resources in account forests can be decommissioned sooner. The procedure To consolidate certificate templates can be used for both approaches. Steps for superseding are noted. Complete the procedures from a domain member computer that has access to the resource and account forests. Log on using an account with permissions to update AD objects in resource and account forests. Members of Domain Admins and Enterprise Admins group have the required permissions. The procedure must be completed for each certificate template type you want to issue from the resource forest. To consolidate certificate templates 1. Copy certificate templates from account forests by using the command .\PKISync.ps1 -sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Template -cn <certificate template common name>. 2. Copy the OID container from account forests by using the command .\PKISync.ps1 sourceforest <account forest DNS> -targetforest <resource forest DNS> -type Oid f. 3. If you are superseding certificate templates from account forests, repeat steps 1 and 2 for all certificate templates in account forests that are superseded by the new certificate template in the resource forest. 4. Duplicate a certificate template you copied from an account forest, and customize if necessary. See Creating Certificate Templates. 5. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organizations security policy. See the Security Tab section of Extensions Tab. 6. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The access control list defined on the certificate template in the account forest is preserved during the copy operation, but you should verify permissions are correct and grant permissions to additional users in other account forests as needed. See the Security Tab section of Administering Certificate Templates. 7. (Optional) Supersede certificate templates from account forests by using the Certificate Templates snap-in to add all superseded certificate templates from account 14
forests to the Superseded templates tab on the certificate template properties sheet. See Supersede Templates. 8. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 9. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. Note If you are superseding certificate templates from account forests, repeat steps 9 through 12 for each account forest you copied certificate templates from in step 1. 10. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 11. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Oid f. 12. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.
15
within a short period of time, however AD CS resources in account forests can be decommissioned immediately. To consolidate version 2 and version 3 default certificate templates 1. Duplicate a version 2 or version 3 default certificate template, and customize if necessary. See Creating Certificate Templates. 2. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organizations security policy. See the Security Tab section of Extensions Tab. 3. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all account forests. See the Security Tab section of Administering Certificate Templates. 4. (Optional) Supersede certificate templates from account forests by using the Certificate Templates snap-in to add all superseded certificate templates from account forests to the Superseded templates tab on the certificate template properties sheet. See Supersede Templates. 5. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 6. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. Note If you are superseding certificate templates from account forests, repeat steps 6 through 9 for each account forest you copied certificate templates from in step 1. 7. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 8. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Oid f. 9. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.
16
To consolidate version 1 default certificate templates 1. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users in all account forests. See the Security Tab section of Administering Certificate Templates. 2. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 3. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type CA -cn <enterprise CA sanitized name> f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. 4. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Template -cn <certificate template common name> f. 5. Copy the OID container from the resource forest by using the command .\PKISync.ps1 -sourceforest <resource forest DNS> -targetforest <account forest DNS> -type Oid f. 6. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.
In cross-forest enrollment deployments described in this guide, the resource forest is the master copy of PKI objects. The PKI objects described in this section must be the same in all forests. To maintain consistency across all forests, copy PKI objects in the resource forest should to account forests frequently. Scripts and examples for automated copying are described in AD CS: Managing Cross-forest Certificate Enrollment. You can use PKISync.ps1 during initial deployment and to keep resource and account forest PKI objects synchronized. PKISync.ps1 copies objects in the source forest to the target forest. Objects in the source forest are not changed by script operations.
17
CA certificates are not copied by PKISync.ps1. When CA certificates are renewed, you must manually publish the CA certificates to account forests by using the commands described in Deploying AD CS for cross-forest certificate enrollment. First, complete the procedure to save PKISync.ps1 to a file, as described in AD CS: PKISync.ps1 Script for Cross-forest Certificate Enrollment Next, complete the following procedure. To copy PKI objects by using PKISync.ps1 1. Start Windows Powershell. 2. Type .\PKISync.ps1 -sourceforest <SourceForestDNS> -targetforest <TargetForestDNS> [-f] and press ENTER. When copying from the resource forest, <SourceForestDNS> is the DNS name of the resource forest and <TargetForestDNS> is the DNS name of an account forest. Warning [-f] is an optional argument. When [-f] is used, objects in <TargetForestDNS> are deleted and replaced by objects with the same name from <SourceForestDNS>. When [-f] is not used, you are prompted to confirm before objects are deleted. 3. Repeat for each account forest.
Yes No No No No
18
After certificate templates have been removed from a CA in an account forest, the CA can be decommissioned. Complete the procedures described in section Removing a CA from Active Directory in CA Maintenance.
Monitoring AD CS events
Alternatively, you can monitor AD CS events and raise alerts or run a script in response to events that indicate a change to PKI objects. You must configure auditing on CAs for some AD CS events to be recorded in the event log. Complete the following procedure on each CA you want to monitor. To enable AD CS event auditing 1. Start an MMC console and add the Group Policy Object Editor for the local computer. 2. In the tree view, click Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. 19
3. In the details pane, double-click Audit object access. 4. Click Success, then click OK. 5. Start the Certification Authority snap-in. 6. In the tree view, right-click your CA and click Properties. 7. Click the Auditing tab. 8. Click Change CA configuration and Change CA security settings, then click OK. 9. Restart the CA service by using the command sc stop certsvc && sc start certsvc. The following table lists events you can monitor.
Event Id Event log Event source Description
26
Application
Microsoft-WindowsCertificationAuthority
Active Directory Certificate Services for %1 was started. The security permissions for Certificate Services changed. Certificate Services loaded a template. A Certificate Services template was updated. A property of Certificate Services changed.
4882
Security
Microsoft-WindowsSecurity-Auditing
4892
Security
4899
Security
4892
Security
Using automation
Detailed instructions for configuring automation are not provided in this document. Use the guidance and script provided in this document and any of the following systems to develop a solution that meets the requirements of your organization: System Center Operations Manager can be used to monitor your CAs for events and alert administrators or run custom scripts or code in response to specified events. Windows and Directory Access APIs can be used to subscribe to events on your CA and run custom code to manage PKI objects in AD. Microsoft Forefront Identity Manger or Microsoft Identify Lifecycle Manager can be used to synchronize PKI objects in account forests with objects in the resource forest. See Microsoft Forefront Identity Manager.
20
21
Saving PKISync.ps1
To save PKISync.ps1 to a file 1. Click Copy Code at the top of the code section. 2. Start Notepad. 3. On the Edit menu, click Paste. 4. On the File menu, click Save. 22
5. Type a path for the file, type the file name PKISync.ps1, and click Save.
# # This script allows updating PKI objects in Active Directory for the # cross-forest certificate enrollment # #This sample script is not supported under any Microsoft standard support #program or service. This sample script is provided AS IS without warranty of #any kind. Microsoft further disclaims all implied warranties including, #without limitation, any implied warranties of merchantability or of fitness #for a particular purpose. The entire risk arising out of the use or #performance of the sample scripts and documentation remains with you. In no #event shall Microsoft, its authors, or anyone else involved in the creation, #production, or delivery of the scripts be liable for any damages whatsoever # (including, without limitation, damages for loss of business profits, business #interruption, loss of business information, or other pecuniary loss) arising #out of the use of or inability to use this sample script or documentation, #even if Microsoft has been advised of the possibility of such damages. #
# Command line variables # $SourceForestName = "" $TargetForestName = "" $SourceDC = "" $TargetDC = ""
function ParseCommandLine()
23
for($i = 0; $i -lt $Script:args.Count; $i++) { switch($Script:args[$i].ToLower()) { -sourceforest { $i++ $Script:SourceForestName = $Script:args[$i] } -targetforest { $i++ $Script:TargetForestName = $Script:args[$i] } -cn { $i++ $Script:ObjectCN = $Script:args[$i] } -type { $i++ $Script:ObjectType = $Script:args[$i].ToLower() } -f {
24
$Script:OverWrite = $TRUE } -whatif { $Script:DryRun = $TRUE } -deleteOnly { $Script:DeleteOnly = $TRUE } -targetdc { $i++ $Script:TargetDC = $Script:args[$i] } -sourcedc { $i++ $Script:SourceDC = $Script:args[$i] } default { write-warning ("Unknown parameter: " + $Script:args[$i]) Usage exit 87 } } } }
function Usage() { write-host "" write-host "Script to copy or delete PKI objects (default is copy)"
25
write-host "" write-host " write-host "" write-host " .\PKISync.ps1 -sourceforest <SourceForestDNS> -targetforest Copy Command:"
<TargetForestDNS> [-sourceDC <SourceDCDNS>] [-targetDC <TargetDCDNS>] [-type <CA|Template|OID> [-cn <ObjectCN>]] [-f] [-whatif]" write-host "" write-host " write-host "" write-host " .\PKISync.ps1 -targetforest <TargetForestDNS> [-targetDC <TargetDCDNS>] Delete Command:"
[-type <CA|Template|OID> [-cn <ObjectCN>]] [-deleteOnly] [-whatif]" write-host "" write-host "-sourceforest write-host "-targetforest write-host "-sourcedc object from" write-host "-targetdc object to" write-host "-type object types are processed" write-host " write-host " write-host " write-host '-cn CA Template OID -- Process CA object(s)" -- Process Template object(s)" -- Process OID object(s)" -- Type of object to process, if omitted then all -- DNS of the DC in the target forest to process -- DNS of the forest to process object from" -- DNS of the forest to process object to" -- DNS of the DC in the source forest to process
include the cn= (ie "User" and not "CN=User"' write-host " specified" write-host "-f copying. Ignored when deleting." write-host "-whatif without processing" write-host "-deleteOnly exists" write-host "" write-host "" } -- Will delete object in the target forest if it -- Display what object(s) will be processed -- Force overwrite of existing objects when This option is only valid if -type <> is also
26
# # Build a list of attributes to copy for some object type # function GetSchemaSystemMayContain($ForestContext, $ObjectType) { # # first get all attributes that are part of systemMayContain list # $SchemaDE = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest Context, $ObjectType).GetDirectoryEntry() $SystemMayContain = $SchemaDE.systemMayContain
# # if schema was upgraded with adprep.exe, we need to check mayContain list as well # if($null -ne $SchemaDE.mayContain) { $MayContain = $SchemaDE.mayContain foreach($attr in $MayContain) { $SystemMayContain.Add($attr) } }
# # special case some of the inherited attributes # if (-1 -eq $SystemMayContain.IndexOf("displayName")) { $SystemMayContain.Add("displayName") } if (-1 -eq $SystemMayContain.IndexOf("flags"))
27
return $SystemMayContain }
# # Copy or delete all objects of some type # function ProcessAllObjects($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN) { $SourceObjectsDE = $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN) $ObjectCN = $null
foreach($ChildNode in $SourceObjectsDE.psbase.get_Children()) { # if some object failed, we will try to continue with the rest trap { # CN maybe null here, but its ok. Doing best effort. write-warning ("Error while coping an object. CN=" + $ObjectCN) write-warning $_ write-warning $_.InvocationInfo.PositionMessage continue }
28
$ObjectCN = $null }
# # Copy or delete an object # function ProcessObject($SourcePKIServicesDE, $TargetPKIServicesDE, $RelativeDN, $ObjectCN) { $SourceObjectContainerDE = $SourcePKIServicesDE.psbase.get_Children().find($RelativeDN) $TargetObjectContainerDE = $TargetPKIServicesDE.psbase.get_Children().find($RelativeDN)
# # when copying make sure there is an object to copy # if($FALSE -eq $Script:DeleteOnly) { $DSSearcher = [System.DirectoryServices.DirectorySearcher]$SourceObjectContainerDE $DSSearcher.Filter = "(cn=" +$ObjectCN+")" $SearchResult = $DSSearcher.FindAll() if (0 -eq $SearchResult.Count) { write-host ("Source object does not exist: CN=" + $ObjectCN + "," + $RelativeDN) return } $SourceObjectDE = $SourceObjectContainerDE.psbase.get_Children().find("CN=" + $ObjectCN) }
29
# # Check to see if the target object exists, if it does delete if overwrite is enabled. # Also delete is this a deletion only operation. # $DSSearcher = [System.DirectoryServices.DirectorySearcher]$TargetObjectContainerDE
$DSSearcher.Filter = "(cn=" +$ObjectCN+")" $SearchResult = $DSSearcher.FindAll() if ($SearchResult.Count -gt 0) { $TargetObjectDE = $TargetObjectContainerDE.psbase.get_Children().find("CN=" + $ObjectCN)
if($Script:DeleteOnly) { write-host ("Deleting: " + $TargetObjectDE.DistinguishedName) if($FALSE -eq $DryRun) { $TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE) } return } elseif ($Script:OverWrite) { write-host ("OverWriting: " + $TargetObjectDE.DistinguishedName) if($FALSE -eq $DryRun) { $TargetObjectContainerDE.psbase.get_Children().Remove($TargetObjectDE) } } else { write-warning ("Object exists, use -f to overwrite. Object: " + $TargetObjectDE.DistinguishedName)
30
return } } else { if($Script:DeleteOnly) { write-warning ("Can't delete object. Object doesn't exist. Object: " + $ObjectCN + ", " + $TargetObjectContainerDE.DistinguishedName) return } else { write-host ("Copying Object: " + $SourceObjectDE.DistinguishedName) } }
# # Only update the object if this is not a dry run # if($FALSE -eq $DryRun -and $FALSE -eq $Script:DeleteOnly) { #Create new AD object $NewDE = $TargetObjectContainerDE.psbase.get_Children().Add("CN=" + $ObjectCN, $SourceObjectDE.psbase.SchemaClassName)
#Obtain systemMayContain for the object type from the AD schema $ObjectMayContain = GetSchemaSystemMayContain $SourceForestContext $SourceObjectDE.psbase.SchemaClassName #Copy attributes defined in the systemMayContain for the object type foreach($Attribute in $ObjectMayContain) { $AttributeValue = $SourceObjectDE.psbase.Properties[$Attribute].Value if ($null -ne $AttributeValue)
31
{ $NewDE.psbase.Properties[$Attribute].Value = $AttributeValue $NewDE.psbase.CommitChanges() } } #Copy secuirty descriptor to new object. Only DACL is copied. $BinarySecurityDescriptor = $SourceObjectDE.psbase.ObjectSecurity.GetSecurityDescriptorBinaryForm()
# # Get parent container for all PKI objects in the AD # function GetPKIServicesContainer([System.DirectoryServices.ActiveDirectory.DirectoryContext] $ForestContext, $dcName) { $ForObj = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext) $DE = $ForObj.RootDomain.GetDirectoryEntry()
if("" -ne $dcName) { $newPath = [System.Text.RegularExpressions.Regex]::Replace($DE.psbase.Path, "LDAP://\S*/", "LDAP://" + $dcName + "/") $DE = New-Object System.DirectoryServices.DirectoryEntry $newPath }
32
return $PKIServicesContainer }
# # All errors are fatal by default unless there is another 'trap' with 'continue' # trap { write-error "The script has encoutnered a fatal error. Terminating script." break }
ParseCommandLine
# # Get a hold of the containers in each forest # write-host ("Target Forest: " + $TargetForestName.ToUpper()) $TargetForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $TargetForestName $TargetPKIServicesDE = GetPKIServicesContainer $TargetForestContext $Script:TargetDC
# Only need source forest when copying if($FALSE -eq $Script:DeleteOnly) { write-host ("Source Forest: " + $SourceForestName.ToUpper()) $SourceForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $SourceForestName $SourcePKIServicesDE = GetPKIServicesContainer $SourceForestContext $Script:SourceDC }
33
# # Process the command # switch($ObjectType.ToLower()) { all { write-host ("Enrollment Serverices Container") ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services" write-host ("Certificate Templates Container") ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate Templates" write-host ("OID Container") ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" } ca { if($null -eq $ObjectCN) { ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services" } else { ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Enrollment Services" $ObjectCN
34
} } oid { if($null -eq $ObjectCN) { ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" } else { ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=OID" $ObjectCN } } template { if($null -eq $ObjectCN) { ProcessAllObjects $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate Templates" } else { ProcessObject $SourcePKIServicesDE $TargetPKIServicesDE "CN=Certificate Templates" $ObjectCN } } default { write-warning ("Unknown object type: " + $ObjectType.ToLower()) Usage exit 87 } }
35
Subsection Heading
Insert subsection body here.
Saving DumpADObj.ps1
To save DumpADObj.ps1 to a file 1. Click Copy Code at the top of the code section. 2. Start Notepad. 3. On the Edit menu, click Paste. 4. On the File menu, click Save. 5. Type a path for the file, type the file name DumpADObj.ps1, and click Save.
# # This script dumps certificate template/CA information using ldifde.exe #
# # Command line arguments # $ForestName = "" $DCName = "" $ObjectType = "" $ObjectName = "" $OutFile = ""
function ParseCommandLine() {
36
for($i = 0; $i -lt $Script:args.Count; $i++) { switch($Script:args[$i].ToLower()) { -forest { $i++ $Script:ForestName = $Script:args[$i] } -dc { $i++ $Script:DCName = $Script:args[$i] } -type { $i++ $Script:ObjectType = $Script:args[$i] } -cn { $i++ $Script:ObjectName = $Script:args[$i] } -file { $i++
37
$Script:OutFile = $Script:args[$i] } default { write-warning ("Unknown parameter: " + $Script:args[$i]) Usage exit 87 } } } }
function Usage() { write-host "" write-host "Script to display attribute values of certificate template or CA object in AD" write-host "" write-host "dumpadobj.ps1 -forest <DNS name> -dc <DC name> -type <template|CA> -cn <Name> -file <output file>" write-host "" write-host "-forest write-host "-dc write-host "-type write-host "-cn write-host "-file write-host "" } -- DNS of the forest to process object from" -- DNS or NetBios name of the DC to target" -- Template or CA" -- Template or CA name" -- Output file"
38
# All errors are fatal by default unless there is anoter 'trap' with 'continue' # trap { write-error "The script has encountered a fatal error. Terminating script." break }
ParseCommandLine
write-host "" write-host "Effective settings:" write-host "" write-host " write-host " write-host " write-host " write-host " write-host "" Forest: $ForestName" DC: $DCName" Type: $ObjectType" Name: $ObjectName" File: $OutFile"
# # Set type specific variables # switch($ObjectType.ToLower()) { "template" { $ObjectContainerCN = ",CN=Certificate Templates" $ObjectSchema = "pKICertificateTemplate" } "ca" { $ObjectContainerCN = ",CN=Enrollment Services" $ObjectSchema = "pKIEnrollmentService"
39
# # Build full DN for the object # $ForestDN = "DC=" + $ForestName.Replace(".", ",DC=") $ObjectFullDN = "CN=" + $ObjectName + $ObjectContainerCN + ",CN=Public Key Services,CN=Services,CN=Configuration," + $ForestDN
# # Build list of attributes to display # $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext Forest, $ForestName $SchemaDE = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]::FindByName($Forest Context, $ObjectSchema).GetDirectoryEntry() $AttrList = $SchemaDE.systemMayContain
40
$SB = New-Object System.Text.StringBuilder for($i = 0; $i -lt $AttrList.Count; $i++) { [void]$SB.Append($AttrList[$i]) if($i -lt ($AttrList.Count - 1)) { [void]$SB.Append(",") } } $AttrListString = $SB.ToString()
# # Build command line and execute # $CommandLine = "-d """ + $ObjectFullDN + """ -p Base -l """ + $AttrListString + """ -f """ + $OutFile + """ -s " + $DCName Invoke-Expression "ldifde.exe $CommandLine" > ldifde.out.txt type "$OutFile"
41
Online Version
AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/ff955842.aspx
42