We added a trusted domain and I want to deploy the existing client certificates (Used for SCCM native mode) to those clients. I modified the security on the template to allow "read, enroll, and autoenroll" for newDomain\domain computers and the GPO for autoenrollment is in place but the clients are not getting the cert What am I missing, do I need to issue the certificate again? Rob Szarszewski

You need to look at Cross-forest Certificate Enrollment with Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/ff955842(WS.10).aspx The basic requirements are: Two-way forest trusts between a resource forest and account forests. One or more enterprise CAs running on Windows Server 2008 R2. Domain member computers in all forests running the following operating systems: Windows XP, Windows Server 2003 or later /Hasain

I only have 2 domains in the same forest, is this necessary? Rob Szarszewski

No, I assumed you have another forest as you mentioned trusts! Besides giving users/computers in the new domain read and enroll permissions on the template it self you need to make sure they are granted permissions to request certificates from the CA as well. Additionally you need to make sure that the CA server is configured properly to publish certificates in the new domain /Hasain

Thanks, can you point me to a MS article on how to "make sure they are granted permissions to request certificates from the CA" and "make sure that the CA server is configured properly to publish certificates in the new domain" any help would be appreciated.Rob Szarszewski

You need to add the CA computer object to the Cert Publishers security group in the new (trusted) domain. Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Thanks, can you point me to a MS article on how to "make sure they are granted permissions to request certificates from the CA" and "make sure that the CA server is configured properly to publish certificates in the new domain" Please look at the "Modifying security permissions and delegate control of CAs" in http://technet.microsoft.com/en-us/library/cc962068.aspx

Thanks guys, I have modified the permissions on the template to allow "domainB\domain computers" read, enroll, autoenroll added the computer object of the CA to the Cert Publishers group in domainB right click on the root of the CA node in MMC and gave domainB\domain computers "Request Certificate" permissions on the CA I have a GPO in DomainA for autoenrollment still not working, can you think of anything else i might be missing? Rob Szarszewski

Hi Rob, Can you request a certificate manually using the MMC? If so, you will need to troubleshoot autoenrolment issues so you could start here: http://support.microsoft.com/kb/281271 You can also look at enabling autoenrollment logging as described here: http://blogs.technet.com/b/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx Cheers JJ Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

when I request certs from the MMC I only have "active directory enrollment policy" and it's not listed in there. The client certificate I want is not published to AD, should I publish it?Rob Szarszewski

Ok, back to MMC troubleshooting then :) An older article, but still useful: http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx Cheers JJJason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Ok, back to MMC troubleshooting then :) An older article, but still useful: http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx Cheers JJ Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk great article, I see the issue but don't know how to fix it. I don't see the CA from DomainA in ADSIedit of DomainB here: ,cn=Certification Authorities,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>" missing here too: “CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain" Rob Szarszewski

When both domains are in the same forest the Public Key Services are shared and you should have the same set of Enrollment Services, Templates etc.. Can you check all other objects under Public Key Services and compare between domains for any differences? /Hasain

The 2 domains seem completely separate, nothing is shared, is this a setting to "share the public key services"?Rob Szarszewski