In continuation with my previous post, we will be deploying the Enterprise Subordinate Issuing CA in the second forest.

Forest B:

Create a folder “CertEnroll” and provide “cert publishers” change permissions on sharing and “modify” on the security permissions.

Open the IIS manager, create a new virtual directory and provide the details as below,

Enable the directory browsing,

Enable the Double Escaping, this will allow the web server to host Delta CRLs

DNS record creation for,

Enterprise Subordinate Issuing CA

Copy the request file from the Issuing CA to the Root CA and get the certificate for the Cloud Exchangers CA

Before we install the certificate, we must publish the Root CA certificate in the active directory so that the Issuing CA will trust the Root CA. This is one of the most important steps and this would avoid any errors while starting the Enterprise Issuing CA.

Copy the Root CA certificate and CRL and copy it to the Enterprise CA and run the below commands,

Once it is published it the active directory. Add the certificates to the local store of the Enterprise CA

Start the service and it should start without any issues

That’s awesome! We have successfully deployed the Enterprise Subordinate CA in by making the use of the same Root CA.

Below is the post configuration for CDP & AIA Extensions,

Publish the CRL,

Verify the DSConfigDN in the

Open the PKIview.msc to check the health of the PKI infrastructure. Root CA’s CRL will not be accessible and it will show as unable to download as expected. If both the forest has network communication, then with the required network routing and firewall rules from the Enterprise Issuing CA in to the HTTP location in the, this can be rectified.

Finally, with this we have successfully deployed the multi forest active directory certificate services. I hope this article has been useful.

Happy learning!! 🙂


By Ashok M

Microsoft Certified Professional, Blogger, Author at, Real world technical contribution via Microsoft Communities (Social Technet/QnA). Extensive knowledge and experience in Messaging (Microsoft Exchange 2003 - 2019) and services including Infrastructure (Windows Server, Active Directory, ADFS, ADCS, File Servers, SCCM), Cloud (Microsoft Azure, Microsoft 365, EMS), Unified Communication (Skype for Business, Video conferencing room systems, Surface Hub), Virtualization (Hyper V), Database (SQL). Have experience in design, implementation, migration & support for various Microsoft infrastructure products across various industry verticals. Currently working as "Implementation Engineer" with the UAE's first tier IV Data Center design certification in the region.

Leave a Reply

Your email address will not be published. Required fields are marked *