5、复制”用户“证书模板为”跨森林用户证书“,相关设设置如下图
打开证书颁发机构,右击”证书模板“选择”管理“
右击”用户“证书,选择”复制“
在”安全“选项卡中添加森Hbyc.net中的Domain Users有如下图权限。
分布复制的证书。
6、设置CA的扩展属性如下图:
7、在DCSRVB上,将计算机DCSRV加入到组Cert Publishers.
8、在DCSRV上运行
certutil –config dcsrvhbsycsrsj-dcsvr-ca –ca.cert c:ca.cer
其中hbsycsrsj-dcsvr-ca为证书颁发机构的名称,ca.cer为导出的根CA证书。
将CA.CER复制到DCSRVB上。
9、在DCSRVB运行如下命令
certutil –dspublish –f c:ca.cer rootca
certutil –dspublish –f c:ca.cer ntauthca
10、复制以下脚本为Pkisync.ps1脚本文件
#
# This script allows updating PKI objects in Active Directory for the
# cross-forest certificate enrollment
#
#This sample script is not supported under any Microsoft standard support
#program or service. This sample script is provided AS IS without warranty of
#any kind. Microsoft further disclaims all implied warranties including,
#without limitation, any implied warranties of merchantability or of fitness
#for a particular purpose. The entire risk arising out of the use or
#performance of the sample scripts and documentation remains with you. In no
#event shall Microsoft, its authors, or anyone else involved in the creation,
#production, or delivery of the scripts be liable for any damages whatsoever
# (including, without limitation, damages for loss of business profits, business
#interruption, loss of business information, or other pecuniary loss) arising
#out of the use of or inability to use this sample script or documentation,
#even if Microsoft has been advised of the possibility of such damages.
#
# Command line variables
#
$SourceForestName = ""
$TargetForestName = ""
$SourceDC = ""
$TargetDC = ""
$ObjectType = "all"
$ObjectCN = $null
$DryRun = $FALSE
$DeleteOnly = $FALSE
$OverWrite = $FALSE
function ParseCommandLine()
{
if (2 -gt $Script:args.Count)
{
write-warning "Not enough arguments"
Usage
exit 87
}
for($i = 0; $i -lt $Script:args.Count; $i++)
{
switch($Script:args[$i].ToLower())
{
-sourceforest
{
$i++
$Script:SourceForestName = $Script:args[$i]
}
-targetforest
{
$i++
$Script:TargetForestName = $Script:args[$i]
}
-cn
{
$i++
$Script:ObjectCN = $Script:args[$i]
}
-type
{
$i++
$Script:ObjectType = $Script:args[$i].ToLower()
}
-f
{
$Script:OverWrite = $TRUE
}
-whatif
{
$Script:DryRun = $TRUE
}
-deleteOnly
{
$Script:DeleteOnly = $TRUE
}
-targetdc
{
$i++
$Script:TargetDC = $Script:args[$i]
}
-sourcedc
{
$i++
$Script:SourceDC = $Script:args[$i]
}
default
{
write-warning ("Unknown parameter: " + $Script:args[$i])
Usage
exit 87
}
}
}
}