学步园

5、复制”用户“证书模板为”跨森林用户证书“，相关设设置如下图
打开证书颁发机构，右击”证书模板“选择”管理“

右击”用户“证书，选择”复制“

在”安全“选项卡中添加森Hbyc.net中的Domain Users有如下图权限。

分布复制的证书。

6、设置CA的扩展属性如下图：

7、在DCSRVB上，将计算机DCSRV加入到组Cert Publishers.
8、在DCSRV上运行
certutil –config dcsrvhbsycsrsj-dcsvr-ca –ca.cert c:ca.cer
其中hbsycsrsj-dcsvr-ca为证书颁发机构的名称，ca.cer为导出的根CA证书。
将CA.CER复制到DCSRVB上。
9、在DCSRVB运行如下命令
certutil –dspublish –f c:ca.cer rootca
certutil –dspublish –f c:ca.cer ntauthca
10、复制以下脚本为Pkisync.ps1脚本文件
#
# This script allows updating PKI objects in Active Directory for the
# cross-forest certificate enrollment
#
#This sample script is not supported under any Microsoft standard support
#program or service. This sample script is provided AS IS without warranty of
#any kind. Microsoft further disclaims all implied warranties including,
#without limitation, any implied warranties of merchantability or of fitness
#for a particular purpose. The entire risk arising out of the use or
#performance of the sample scripts and documentation remains with you. In no
#event shall Microsoft, its authors, or anyone else involved in the creation,
#production, or delivery of the scripts be liable for any damages whatsoever
# (including, without limitation, damages for loss of business profits, business
#interruption, loss of business information, or other pecuniary loss) arising
#out of the use of or inability to use this sample script or documentation,
#even if Microsoft has been advised of the possibility of such damages.
#
# Command line variables
#
$SourceForestName = ""
$TargetForestName = ""
$SourceDC = ""
$TargetDC = ""
$ObjectType = "all"
$ObjectCN = $null
$DryRun = $FALSE
$DeleteOnly = $FALSE
$OverWrite = $FALSE
function ParseCommandLine()
{
   if (2 -gt $Script:args.Count)
   {
       write-warning "Not enough arguments"
       Usage
       exit 87
   }
   
   for($i = 0; $i -lt $Script:args.Count; $i++)
   {
       switch($Script:args[$i].ToLower())
       {
           -sourceforest
           {
               $i++
               $Script:SourceForestName = $Script:args[$i]
           }
           -targetforest
           {
               $i++
               $Script:TargetForestName = $Script:args[$i]
           }                
           -cn
           {
               $i++
               $Script:ObjectCN = $Script:args[$i]
           }
           -type
           {
               $i++
               $Script:ObjectType = $Script:args[$i].ToLower()
           }
           -f
           {
               $Script:OverWrite = $TRUE
           }
           -whatif
           {
               $Script:DryRun = $TRUE
           }
           -deleteOnly
           {
               $Script:DeleteOnly = $TRUE
           }
           -targetdc
           {
               $i++
               $Script:TargetDC = $Script:args[$i]
           }
           -sourcedc
           {
               $i++
               $Script:SourceDC = $Script:args[$i]
           }
           default
           {
               write-warning ("Unknown parameter: " + $Script:args[$i])
               Usage
               exit 87
           }
       }
   }
}