Certs and Central Forest model RRS feed

  • Question

  • Does anyone have any thoughts / comments on deploying OCS in Central Forest model, when the central forest only exists to contain the OCS servers.  IIFP will be used to import user details as contacts from a multi domain tree in the user forest.

    My main queries are around the PKI and certifcates involved in this solution.  As far as I can tell from the documentation no federated trusts need to be configured as all identity / access is handled by the IIFP/MIIS imports.  However in a standard deployment there is a requirement for an existing PKI structure to certify the various components.

    Would we just need to requests certs for the central forest OCS servers from our existing CA's in the user forest.

    Hope that makes sense.



    Tuesday, January 13, 2009 4:43 PM

All replies

  • It belong to your configuration of the user forest. Is there a separate PKI, or do you use the PKI from the central forest?
    Tuesday, January 13, 2009 9:05 PM
  • The model has been propsed by a service organisation who will be supporting and supplyinig OCS.  The central forest will only exist to hold OCS servers and supporting infrastructure.  This is (according to them) to provide clear demarkation between our infrastructure and theirs for support deliniation.

    There will only be a PKI in the User forest and there will be no trusts set up etc.
    Wednesday, January 14, 2009 8:45 AM
  • You should have root CA cert on the OCS servers and the user's machine.
    There is no special certificate consideration in case of central forest topology..

    R. Kinker
    MCSE 2003 (Messaging), MCTS - LCS 2005, MCTS - OCS 2007

    Ram Ojha
    Saturday, January 17, 2009 6:45 PM