Hello everyone. I could really use some assistance with getting autoenrollment working in my environment. I feel like I've tried so many things and read every article I could find on the topic. Here is my issue:
Environment: Most servers are 2008 R2 Enterprise (including all DCs). 2008R2 functional level. CA is running on a DC with Global Catalog. Workstations are mostly Win7. DNS is managed by Unix servers.
Problem: We are trying to auto enroll a workstation certificate that has been created for SCCM 2012. The procedure outlined in the SCCM 2012 PKI document has been followed completely. The certificate will enroll manually on any computer\server but only autoenrolls on my servers and XP workstations. On Win7, the SystemTask under CertificateServicesClient is enabled and does run. Occasionally, the task stays in the running status and must be Ended manually. The application log shows only Events 64 and 65. This problem is replicated with creating a new "test" template on the CA with the same permissions.
Things I've tried: Enabling the registry key to troubleshoot does not give any more information in the application log. The same group policy has been applied to both OUs. Permissions for DCOM appear correct for workstation and server. "Certificate Service DCOM Access" group contains Domain Computers. Checked local and network firewall logs for any denies but none were being logged.