I have a subordinate CA in a sub domain. I have created a certificate template with Auto Enroll checked for the distribution group I want to get that cert. I add the cert template to the subordinate CA list of avalibel twemplates but it no clients int he sub domain enroll in the cert from the subordinate. They all enroll in other certs from the root CA.

You cannot assign permissions for distribution groups, only security groups are permitted.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Sorry, It is a security ghroup. I just call it a distribution group for purposes of process.

If you want to enroll from the sub CA, either: 1) Do not publish the certificate template at the root, only at the sub CA 2) Create a separate certificate template and set permissions so that only the child domain users have Read, Enroll, and Autoenroll permissions on the new certificate template. Only publish this certificate template at the sub CA. Also change permissions on the original certificate to only allow root domain users Read, Enroll, and Autoenroll permissions The first CA to respond will issue the certificate if the template is available at more than one CA. There is no preference for domain or site Brian

1) I did create the template and I only publushed it at the subordinate CA. Clients do not Auto Enroll in it howver. That is my issue. 2) I will try to restrict root templates to only root users to see if that forces sub users to Auto Enroll in Sub published certs.

Yeah, There is something major I am missing here. I tied resticting the auto enrollment of certs from the parent CA to only security groups in the parent domain and sure enought clients in the sub domain do not get certs. Then I re added the cert template to the subordinate CA and it is only allowed to auto enroll clients in the child domain. Now cleints in child domain do not get a cert from either Parent or Subornidate CA. When I go to request a cert it is interesting that only cert templates from the parent CA are listed under "Active Directory Enrollment Policy" It seams that clients in the sub domain use the parent domain AD enrollment policy even though there is a subordinate CA in the child domain. Is there supposed to be multipl AD enrollment policys (parent and child domains) or just one for the whole forest? Is that AD enrollment policy dictating that all clients in the forest use the root CA? Can that AD enrollment Policy be edited to include subordinate CA's? Am I barking up the right tree?