I already knew clients need to be able to contact a root domain DC/GC to get a certificate, but I did not know there would be a certificate enrollment problem with child domain Infrastructure Master (IM) FSMO role holder DCs that are not GCs.
The CAs and DCs are all Windows Server 2008 R2 Enterprise. For the problem DCs only, not only is autoenrollment broken, but we also cannot manually request a new certificate using the Certificates (Local Computer) console. Neither CAs nor certificate templates are available through the wizard. All other DCs in these child domains get their certificates through auto enrollment without any problems, and they do show the correct CAs and certificate templates via the certificate request wizard.
The problem DCs are not GCs, and although they are in the child domains, they are all in sites that have root domain DCs that are also GCs. As soon as we moved the Infrastructure Master (IM) FSMO role off of the problem DCs, to other DCs that already have their certificates, and then added the GC role to the former IM's, they got a certificate. What's going on here? Any help would be apprciated.