14 DAY TRIAL // With Windows 7 Server Microsoft is breaking the limit that restricted enterprise Certification Authority certificates to being produced for the same Active Directory forest. Windows Server 2008 R2 (Windows 7 Server) Beta is taking digital certificates one step forward, allowing items to be issued by an enterprise CA to clients belonging to different AD forests. According to the software giant, the process of cross-forest certificate enrollment was not available in previous releases of Windows Server. This is no longer valid for Windows 7 Server, which is available as a public download since January 9, 2009.
“Prior to Windows Server 2008 R2, an enterprise Certification Authority (CA) was limited in issuing certificates only to the clients that belong to the same Active Directory (AD) forest. Therefore, user and client computers would only attempt to enroll certificates from a CA in its local forest, especially in autoenrollment scenarios. This functional boundary forced PKI administrators to install at least one CA per forest. Thus, organizations with multi-forest AD environments had to operate multiple CAs, which in turn increased operation costs for those organizations,” Microsoft revealed.
The Redmond company indicated that it was essential for a resource forest to have at least one Windows Server 2008 R2 Beta CA in order for cross-forest certificate enrollments to be possible. And in this regard, customers will have to deploy either the Enterprise or the Datacenter editions of Windows Server with CA deployed on top. Only in this manner will clients from different Active Directory forests be supported.
“The cross-forest certificate enrollment functionality supported by the Windows Server 2008 R2 Beta CA allows clients to enroll for a certificate from a CA that is part of a different AD forest. It can help reduce the number of CAs in a multi-forest environment. Also, it enables environments with multiple AD forests to deploy a central certification authority with low total cost of ownership. Finally, cross-forest certificate enrollment is implemented in a way that doesn’t require any upgrade to the clients’ operating systems to enable cross-forest certificate enrollment,” Microsoft added.
In order to detail cross-forest certificate enrollment works, Microsoft has published a whitepaper titled Cross-forest Certificate Enrollment with Windows Server 2008 R2 Beta, which is available for download via this link at no cost.