I'm dealing with a cross-forest trust setup involving two domains: Domain A (the resource forest) and Domain B (the account forest). We have a subordinate issuing Certificate Authority (CA) in Domain A, and we've successfully extended certificate enrollment to all users and systems in Domain B through PKISync. However, our Domain Controllers (DCs) in Domain B, which were built from DC templates, have certificates that have already expired. Surprisingly, we haven't noticed any issues so far. I've been informed that we may need to establish another subordinate CA in Domain B specifically to issue a Kerberos Authentication certificate for the DCs. Since we're in the process of sunsetting Domain B, I'm curious about a few things:
1. What potential side effects can we expect from the DCs in Domain B lacking valid DC templated certificates? Could it lead to Kerberos authentication problems or trust issues?
2. Is it worthwhile to set up another CA given the potential for overhead and new security risks?
3. Is there any Microsoft documentation indicating that Domain Controller certificate templates can't be used across forests? I managed to copy the templates to Domain B using PKISync, but the DCs report that the requested certificate template is not supported.
5 Answers
It's definitely possible to issue cross-forest DC certificates. The trick might be in the permissions for your template; you need to ensure that the REMOTE DOMAINdomain controllers group is added, and then rerun PKISync. Also, remember to publish the subCA to the NTAUTH store using the 'Certutil' command—it’s necessary for proper operation. Without a valid cert, you might run into issues with Kerberos pkinit, LDAPS, or smart card logon.
Do the DCs in Domain B have a trusted root certificate from Domain A loaded? That's the first thing to check.
They do, yes.
You might find useful insights at this Microsoft blog on cross-forest certificate enrollment. It covers a lot of ground on the topic: https://techcommunity.microsoft.com/blog/askds/cross-forest---certificate-enrollment/4463246
You might want to check out the r/PKI community. They have a lot of expertise in handling multiple forests and domains, especially with ADCS PKI setups.
Thanks! I'll crosspost there.
DC certificates are mainly necessary for two things: enabling LDAPS and smartcard logon. For Kerberos or trusts specifically, they aren't required. As for your issue with the Kerberos template, I've heard that the domain controller certificates have some unique restrictions, but you should find more info on Microsoft's blog about consolidating these certificates.
This advice is spot on. I've got a similar setup working with three forests, and it functions smoothly!