The idea is to implement IPSec into our domain network. I have tested everything on Citrix, created almost the analogue network with AD+DNS+CA+several nodes and stuff. Created a "computer" type certificate in "certificates autorequest setting"(hope thats how it sounds english) in default policies. Right after that in the "certification centre mmc: issued certificates" i instantly got the root certificate, and after gpupdate /force on virtual nodes, they all received certificates which has been indicated in issued certificates almost instantly too(tried several options with them, everything is fine). But on the actual network, after installing certification authority on secondary domain controller and configuring the policy+gpupdate /force, the root certificate has not been given. And of course client machines do not get issued any of them too. And very strange for me is, if i change default policies on PDC, then enter same DGP on the secondary controller, i dont see the change(i.e. this "computer" type certificate autorequest) even forcing gpupdate. Used pretty much the same settings installing CA, rsa+md5+2048.

Ok thank you for the tip, replication is fine(the question then where do i shedule it?). And dcdiag shows that all tests were passed.