I've been going round in circles on this one for a while now, but still haven't resolved the problem. To summarize, we have a dedicated forest root, with multiple child domains. One of the child domains is separated from the root via a firewall, and the
DC's in this child domain replicate over IPSEC. The clients in this domain DO NOT have RPC connectivity to the root. All DC's in the forest are 2008R2 Enterprise.
In the root domain, we have our root CA, along with a subordinate CA. Clients in the 'other' domain (not firewalled) can check out certs no problem either using mmc or via the web gui. Clients in the firewalled domain cannot checkout certs using MMC (RPC error), but can via a web enrollment proxy running on one of the DC's (but WEP cannot issue computer certs, just user certs) and auto-enrollment doesn't work.
So, I read up on the Cert Enrollment Web Service and Policy Web Service. It seemed to imply this could provide a solution to our problem by allowing a special enrollment policy that doesn't require the clients to have RPC connectivity to the root CA's. I installed this on a DC in the firewalled domain, exactly following an MS guide. All the install went ok, and if I checkout a computer cert from the mmc snapin on the DC itself (using the new policy), this works fine. If I try it from a client though, it can see the new enrollment policy, but when I try to request the cert I get the error;
Enrollment Error
The specified domain either does not exist or could not be contacted
So, it appears even with this config, the client seems to need RPC connectivity to the root CA. I've checked everything I can think of, and it SHOULD work, but just isn't.
So, this is my last resort. If someone can help, or needs more information, just let me know. The other alternative I'm considering is actually installing another full subordinate CA on a DC in the firewalled domain. As the DC still has full access to the root, this might be my only remaining option.