Well, in the recent days I was faced with a customer that wanted 802.1x authentication across their whole organisation, quite a simple task, but this particular customer had multiple forests due to acquiring companies in other countries.
A migration or consolidation was no option for the customer, so I found an old article for Server 2008R2 and decided to play it out on Server 2022.
The Setup
The first step was to generate a test setup, which was easily done since I already had my homelab domain, so I configured a new VLAN on my Firewall, spun up two Windows Server 2022 VMs and got the “dev” domain up and running.
After the initial setup of the second domain, I needed to establish a transitive trust with Forest-wide authentication, from then on it was configuring time.
So on my existing homelab AD CS PKI I enabled the ENABLELDAPREFERRALS flag, in order for clients in the new domain to be able to request certificates.
certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS
net stop certsvc && net start certsvcThen I exported the cert and published it in the dev domains RootCA and NtAuth store.
Note: do this on a machine in the second forest.
certutil -dspublish -f <RootCACertificateFile> RootCA
certutil -dspublish -f <RootCACertificateFile> NtAuthCANote: if you have the Certificate Management RSAT Tools installed, you can also use “pkiview.msc” to add certficiates to the NtAuthCA store.
In case of a 2 Tier PKI deployment, you should also add your Sub CA to the SubCA and NtAuth store:
certutil -dspublish -f <SubCACertificateFile> SubCA
certutil -dspublish -f <SubCACertificateFile> NtAuthCAA quick check confirmed, that my Sub and my Root CA certificates are imported to the NtAuth store of the dev domain, this can be done for all mentioned stores.
certutil ‑viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<ForestRootNameSpace>?cACertificate"
As a next step, I added my Homelab PKI to the Cert Publishers AD Group in the dev domain.
Then I gave the according permissions, in this case the “Domain Computers” should be able to Enroll the Computer certificate.
So, to distribute the Root certificate and to ensure autoenrollment, I’ve created a simple gpo.
As a last step, I tested everything out by running the PKISync.ps1, that is provided on the Microsoft Website, this script is basically checking the CN=Services,CN=PublicKeyServices of the sourceforest domain and copying everything over.
This is how Certificate Templates will be written to the PKI-less Forest.
.\PKISync.ps1 -sourceforest homelab.local -targetforest dev.local -fThis should be run everytime changes are made to the Certificate Templates of the source forest, but I will probably let it run as a scheduled task anyways.
The conclusion?
For me, this worked out pretty well, my dev domain devices now receive the needed certificate.
