Hi all, I've a forest with 3 domains (let's say A_DOM, B_DOM, C_DOM). All domains have Windows 2008R2 functional level. A two way forest trust exists between A_DOM and B_DOM, between A_DOM and C_DOM. In A_DOM I've an Enterprise root CA. No CA exists in B_DOM and C_DOM. I'm following http://technet.microsoft.com/en-us/library/ff955845(v=ws.10) but I think I've not understood well point n3 "Establish a root CA in the resource forest by deploying a new root CA or by designating an existing standalone or enterprise root CA." I have to made my Enterprise Root CA a Root CA? How?

> I have to made my Enterprise Root CA a Root CA? How? no, you have to install a root CA *certificate* in the resource forest if it wasn't done previously. This is necessary to establish a trust to this root. If you already have a root CA (existing PKI), then just publish existing root certificate. The sentence is not about CA server designation. Of course, issuing CA for cross-forest enrollment must be Enterprise Subordinate (Enterprise root is not a good idea).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, you say I've to publish a root CA *certificate* in the resource forest. How can do this task? Let's say my Enterprise Root CA name is "MyCA" it is enough to run (run on a server in the source domain): certutil -ca.cert c:\root-ca-cert.cer and then certutil -dspublish c:\root-ca-cert.cer RootCA ?

yes, this is enough. Additionally you may have to publish issuing CA certificate to the account forests to NTAuthCA container. This is necessary if the CA will issue logon certificates to account forests.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

yes, this is enough. Additionally you may have to publish issuing CA certificate to the account forests to NTAuthCA container. This is necessary if the CA will issue logon certificates to account forests.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Ok, I've done. Now in my RootCA I see a lot of error like this: Active Directory Certificate Services denied request 57 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for AccountDomain\DomainController03$. Additional information: Denied by Policy Module is it normal? Have I to correct something?

Did you granted appropriate permissions on certificate templates?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

No because the documentation http://technet.microsoft.com/en-us/library/ff955845(v=ws.10) does not say anything. Have I to grant permission on the domain controller template and domain controller authentication template for the domain controllers group of the account forests?

Yes you have to grant appropriate permission to the templates for them to be enrolled by the members in account forest. Once you have grant permission in the template run the pkisync.ps1 to resync the templates in the account forest and then request for the template.

Yes you have to grant appropriate permission to the templates for them to be enrolled by the members in account forest. Once you have grant permission in the template run the pkisync.ps1 to resync the templates in the account forest and then request for the template.