I have two Active Directory domains in two separate forests, all at Windows Server 2008 R2 functional levels. There is a two-way forest trust between the domains.
Domain A contains a Windows Server 2008 R2 Enterprise Root Certification Authority; its root certificate is trusted by all computers in the domain; there are autoenrollment policies to automatically issue a computer certificate to each computer in the domain (more than one to DCs, as usual).
Domain B contains no Certification Authority, but the root certificate of Domain A's CA is assigned as a trusted root certificate to all computers in the domain via Group Policy, so any certificate issued by that CA is treated as valid.
Can I configure autoenrollment policies in Domain B so that each computer in Domain B automatically requests and obtains a certificate from the Certification Authority in Domain A?
If yes, how?
Best Answer
Cross forest enrollment can be accomplished by following the guide located at http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx. This copies the templates and security principals required to support AutoEnrollment.
Caveat: I have only used this to support Web Enrollment, so I have not personally verified that it can be pushed via group policy. That being said, if it can't, I know it can be done via a startup script that calls CertUtil.