Hello,
I'm having trouble enrolling workstation certificates from a CA in a trusted forest. My CA is in a child domain of a root, which has a transitive trust to my forest. I've followed all of the steps found here http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx to the best of my knowledge, steps included:
- Added my CA to the Cert Publishers group of the trusted forest. Gave the CA ability to authenticate to my trusted forest's DCs.
- Gave DCs in my trusted forest the ability to authenticate to all DCs in the source forest
- Ran PKISync.ps1 to copy all items from the source forest.
When I use the certificates snap-in to request a new certificate, I see the proper available certificate templates. When I try to enroll one, the enrollment wizard fails with "Specified domain either does not exist or could not be contacted." To me this sounds like a DNS issue, but I'm not sure where to begin troubleshooting. I'm fairly certain that this is not a network firewall issue, as I have other clients in the same subnet as the account forest DCs that are able to obtain certificates properly.
Any help would be greatly appreciated. Thanks.