Monday, November 15, 2010

Cross-forest Certificate Enrollment

When deploying Cross-forest Certificate Enrollment with Windows Server 2008 R2, one of the steps is to add the issuing CA to the "Cert Publishers" group in the domains which will be auto-enrolling with the new CA.  Ran into a small issue at a client in which that wasn't possible because the "Cert Publishers" group was a domain global group, which can only contain members from the domain in which the group exists.

To get around this, you have to modify the "Cert Publishers" group to be a domain local group.  This is the default for all domains created as Windows Server 2003 or new, but for Windows 2000 domains, it was created as a domain global group.  This design change is detailed in this KB article.

The UI does not allow you change the group scope for this group; changing the scope can still be done with dsmod.  Use the following syntax:

dsmod group <DN of Cert Publishers Group> -scope l

For example:

dsmod group "CN=Cert Publishers,CN=Users,DC=domain,DC=com" -scope l

Full details on using dsmod to change the scope can be found here.