We have a small domain that is out side of our normal forest that we want to issue certificates to. We have a enterprise CA in our primary forest that we would like to use to issue the certificates. Our only goal is to enable SLDAP on these domain controllers, and it doesn't seem worth it to stand up a new CA to issue two certificates. Can we issue certificates to the domain controllers in a separate forest and if so: What certificates are needed for SLDAP (I am guessing I just need the Domain Controller Authentication template)Can I set up auto enrollment with a forest I don't trust (maybe using the issued certificate for authentication)Our Web Enrollment is not working. Is there another method I can use to obtain the certificate?

Hi, 1. What certificates are needed for SLDAP (I am guessing I just need the Domain Controller Authentication template) Do you mean secure LDAP? By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article. please refer this wiki: LDAP over SSL (LDAPS) Certificate(http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) 2. Can I set up auto enrollment with a forest I don't trust (maybe using the issued certificate for authentication) Cross-forest Certificate Enrollment Technical requirements =========================================== 1. Two-way forest trusts between a resource forest and account forests. 2. One or more enterprise CAs running on Windows Server 2008 R2. 3. Domain member computers in all forests running the following operating systems: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2 For details steps, please refer the following articles: AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx AD CS: Deploying Cross-forest Certificate Enrollment http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx 3. Our Web Enrollment is not working. Is there another method I can use to obtain the certificate? This feature applies to organizations that have public key infrastructures (PKIs) with one or more CAs running Windows Server 2008 and clients running Windows Vista and that want to provide users with the ability to obtain new certificates or renew existing certificates by using Web pages. Hope this helps! Best Regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Elytis Cheng TechNet Community Support

Hi, 1. What certificates are needed for SLDAP (I am guessing I just need the Domain Controller Authentication template) Do you mean secure LDAP? By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article. please refer this wiki: LDAP over SSL (LDAPS) Certificate(http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) 2. Can I set up auto enrollment with a forest I don't trust (maybe using the issued certificate for authentication) Cross-forest Certificate Enrollment Technical requirements =========================================== 1. Two-way forest trusts between a resource forest and account forests. 2. One or more enterprise CAs running on Windows Server 2008 R2. 3. Domain member computers in all forests running the following operating systems: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2 For details steps, please refer the following articles: AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2 http://technet.microsoft.com/en-us/library/ff955842(v=ws.10).aspx AD CS: Deploying Cross-forest Certificate Enrollment http://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx 3. Our Web Enrollment is not working. Is there another method I can use to obtain the certificate? This feature applies to organizations that have public key infrastructures (PKIs) with one or more CAs running Windows Server 2008 and clients running Windows Vista and that want to provide users with the ability to obtain new certificates or renew existing certificates by using Web pages. Hope this helps! Best Regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Elytis Cheng TechNet Community Support

So I worked through a lot of the issues, and now I appear to be at the very end of the process (still not working). I established a two way selective forest trust and worked through the issues of getting an account that could write changes to AD in the new forest and could read the configuration from the original forest that contains the CA. I got the templates copied over, gave the domain controllers in the new forest auto enrollment rights to the Kerberos Authentication template I created (copy of the originial). I also went into AD and gave the domain controllers in the new forest permission to authenticate with the CA. I can generate enrollment requests now, but I get an access denied message. I tried backing off the trust security (reset to a full forest trust), but that didn't help any. I see in the network trace that the domain controller is trying to make a DCOM call, but I cant tell what happens beyond that. I don't see any errors on the CA itself, but I get the following on the domain controller requesting the certificates: Certificate enrollment for Local system failed to enroll for a MYKerberosAuthentication certificate with request ID N/A from myca.mycompany.com\MYCA1-CA (Access is denied. 0x80070005 (WIN32: 5)).

So I worked through a lot of the issues, and now I appear to be at the very end of the process (still not working). I established a two way selective forest trust and worked through the issues of getting an account that could write changes to AD in the new forest and could read the configuration from the original forest that contains the CA. I got the templates copied over, gave the domain controllers in the new forest auto enrollment rights to the Kerberos Authentication template I created (copy of the originial). I also went into AD and gave the domain controllers in the new forest permission to authenticate with the CA. I can generate enrollment requests now, but I get an access denied message. I tried backing off the trust security (reset to a full forest trust), but that didn't help any. I see in the network trace that the domain controller is trying to make a DCOM call, but I cant tell what happens beyond that. I don't see any errors on the CA itself, but I get the following on the domain controller requesting the certificates: Certificate enrollment for Local system failed to enroll for a MYKerberosAuthentication certificate with request ID N/A from myca.mycompany.com\MYCA1-CA (Access is denied. 0x80070005 (WIN32: 5)).

I found a trouble shooting guide that noted access to DCOM is controlled by a group on the CA. I didn't see that in the documentation above, and have tried adding the Domain Controllers group from our second domain to the CA's local Certificate Service DCOM Access group. That still didn't work, but it seems like another piece of the puzzel. At this point I have a two way selective trust and the Domain Controllers group has been given permission on the CA computer object to authenticate, and has been added to the CA's DCOM group. Any other thoughts on what I might be missing? This is the document I am using for trouble shooting: http://blogs.technet.com/b/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx

I got a little bit further on this. Once I had added the domain controllers group from the second domain (our resource domain) to the Certificate Service DCOM Access group, I took another trace and noticed that the CA was trying to call back to the resource domain controllers looking for SPN information. This request was being denied because the selective trust does not allow this to happen. Since my CA is already in the Cert Publishers group in the resource domain, I granted Allowed to authenticate rights to the CA on the domain controllers in the resource domain. This changed the behavior so that I now get the following error... Status: Request denied The specified account does not exist. Denied by Policy Module 0x8007208d, The requester's Active Directory Object could not be retried. I tried to delegate read all properties to the Cert Publishers group, but that does not appear to have resolved it. Has anyone ever successfully enabled certificate auto enrollment when a two way selective trust is used?

I got a little bit further on this. Once I had added the domain controllers group from the second domain (our resource domain) to the Certificate Service DCOM Access group, I took another trace and noticed that the CA was trying to call back to the resource domain controllers looking for SPN information. This request was being denied because the selective trust does not allow this to happen. Since my CA is already in the Cert Publishers group in the resource domain, I granted Allowed to authenticate rights to the CA on the domain controllers in the resource domain. This changed the behavior so that I now get the following error... Status: Request denied The specified account does not exist. Denied by Policy Module 0x8007208d, The requester's Active Directory Object could not be retried. I tried to delegate read all properties to the Cert Publishers group, but that does not appear to have resolved it. Has anyone ever successfully enabled certificate auto enrollment when a two way selective trust is used?

Hi, Please try to add Authenticated Users and INTERACTIVE to the builtin Users group to test. Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support

Hi, Please try to add Authenticated Users and INTERACTIVE to the builtin Users group to test. Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support

Hi, Thanks for posting in Microsoft TechNet forums. As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Elytis ChengElytis Cheng TechNet Community Support

Hi, Thanks for posting in Microsoft TechNet forums. As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Elytis ChengElytis Cheng TechNet Community Support

It is partially working. Autoenrollement isn't working, but I can issue certificates to the second forest. Auto enrollment on the CA wants to query AD from the requesting forest and doesn't have enough rights. I tried granting logon rights for the CA computer account on the domain controllers in the second forest, but that didn't do it. If I ever get to the point where I get it working and I can sort out what it really takes to make it work, I will post the solution here. I suspect that once I get it working, I will have a lot of wreckage in the system and may never be sure of which parts I need and which parts I shouldn't have put in.

It is partially working. Autoenrollement isn't working, but I can issue certificates to the second forest. Auto enrollment on the CA wants to query AD from the requesting forest and doesn't have enough rights. I tried granting logon rights for the CA computer account on the domain controllers in the second forest, but that didn't do it. If I ever get to the point where I get it working and I can sort out what it really takes to make it work, I will post the solution here. I suspect that once I get it working, I will have a lot of wreckage in the system and may never be sure of which parts I need and which parts I shouldn't have put in.

Hi, Have you deploy the Cross-forest Certificate Enrollment following the link I mentioned? Best Regards Elytis ChengElytis Cheng TechNet Community Support

Hi, Have you deploy the Cross-forest Certificate Enrollment following the link I mentioned? Best Regards Elytis ChengElytis Cheng TechNet Community Support

Those where the documents I used. I am sure I have missed something though. I went back through and checked everything. I can copy the templates fine, so I think I have the correct rights for my user account. I have mapped the domain users, domain computers and domain controllers groups to the CA's computer object and given them permission to authenticate. I have also added the CAs computer account onto the computers that I want to issue certificates to in the other forest so authentication works that way. When I request certificates I get the following error, which I attibute to the CAs ability to get information from AD in the other forest. Active Directory Certificate Services denied request 300 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for XXX\VXXXDC1$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=VxxxDC1,OU=Domain Controllers,DC=xxx,DC=domain,DC=local ldap: 0x20: 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domain,DC=local'

I also get the following error message in the event log of the CA every time the system fails to issue a certificate. Referrals are enabled, but I don't think they are working. The "Windows default" Policy Module logged the following warning: Active Directory Certificate Services is configured to use LDAP referrals to request user data from the Active Directory directory service.

Those where the documents I used. I am sure I have missed something though. I went back through and checked everything. I can copy the templates fine, so I think I have the correct rights for my user account. I have mapped the domain users, domain computers and domain controllers groups to the CA's computer object and given them permission to authenticate. I have also added the CAs computer account onto the computers that I want to issue certificates to in the other forest so authentication works that way. When I request certificates I get the following error, which I attibute to the CAs ability to get information from AD in the other forest. Active Directory Certificate Services denied request 300 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for XXX\VXXXDC1$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=VxxxDC1,OU=Domain Controllers,DC=xxx,DC=domain,DC=local ldap: 0x20: 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=domain,DC=local'

I also get the following error message in the event log of the CA every time the system fails to issue a certificate. Referrals are enabled, but I don't think they are working. The "Windows default" Policy Module logged the following warning: Active Directory Certificate Services is configured to use LDAP referrals to request user data from the Active Directory directory service.

1. Please let me know how you request the certificate, mmc or web, and then get the error message. 2. Do all the ceritificates encounter the same errors? 3. Does AD replication work well in your domain? Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

1. Please let me know how you request the certificate, mmc or web, and then get the error message. 2. Do all the ceritificates encounter the same errors? 3. Does AD replication work well in your domain? Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

1) The problem only exists when using auto enrollment from the second forest. Auto enrollment from the same forest as the CA works fine. Manual enrollment from the MMC works fine from the second forest, but I have to use a template that allows me to configure the CN and DNS name. I am pretty sure the problem is that the CA is having problems getting that information from the second forest. 2) Any auto enrollment certificate in the second forest gets that error. Both domain controllers have the same issue consistently. 3) AD replication is fine. Repadmin /replsummary on both domains shows no errors. We have only one site. The first domain has three domain controllers and the second forest has two domain controllers. I also did a repadmin /showutdvec on each domain controller for the configuration container and the domain container itself and we could not look better. I am pretty sure that when the DC in the second forest calls the CA for a certificate, the CA tries to look up the information necessary for the certificate through Active Directory. My packet trace does not show an LDAP query, so I don't see the CA making a call out. The certificate is not being issued because the CA cannot find the domain, or is not finding the DC entry in active directory. Based on the error, I am guessing that it can't find the domain at all and refers to the closest match...

1) The problem only exists when using auto enrollment from the second forest. Auto enrollment from the same forest as the CA works fine. Manual enrollment from the MMC works fine from the second forest, but I have to use a template that allows me to configure the CN and DNS name. I am pretty sure the problem is that the CA is having problems getting that information from the second forest. 2) Any auto enrollment certificate in the second forest gets that error. Both domain controllers have the same issue consistently. 3) AD replication is fine. Repadmin /replsummary on both domains shows no errors. We have only one site. The first domain has three domain controllers and the second forest has two domain controllers. I also did a repadmin /showutdvec on each domain controller for the configuration container and the domain container itself and we could not look better. I am pretty sure that when the DC in the second forest calls the CA for a certificate, the CA tries to look up the information necessary for the certificate through Active Directory. My packet trace does not show an LDAP query, so I don't see the CA making a call out. The certificate is not being issued because the CA cannot find the domain, or is not finding the DC entry in active directory. Based on the error, I am guessing that it can't find the domain at all and refers to the closest match...

Please ensure you have enabled the policy "Windows Settings\Security\Public Key Policies/Certificate Services Client - Auto-Enrollment " in the default domain policy.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Please ensure you have enabled the policy "Windows Settings\Security\Public Key Policies/Certificate Services Client - Auto-Enrollment " in the default domain policy.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Auto enrollment is enabled and I can see the requests going out. My CA is showing piles of rejected requests from the servers in the second forest.

Auto enrollment is enabled and I can see the requests going out. My CA is showing piles of rejected requests from the servers in the second forest.

Would you please help capture screen shots about all the error messages?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Would you please help capture screen shots about all the error messages?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Any update? Please drop me a note about the current status at your earliest convenience.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Any update? Please drop me a note about the current status at your earliest convenience.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I don't appear to be smart enough to figure out how to add a screen shot. This is how it looks from the event viewer: First the authentication happens to the CA Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 6/7/2012 10:09:30 AM Event ID: 66 Task Category: None Level: Information Keywords: Classic User: ddd\uuuuuuu Computer: hhhhhhh.ddd.ddddd.ddd Description: Certificate enrollment for Local system is successfully authenticated by enrollment server hhhhhhh. ddddd.ddd\hhhhhhh-ca The next event we see is the rejection. This is the event from the requesting side. Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 6/7/2012 10:09:31 AM Event ID: 13 Task Category: None Level: Error Keywords: Classic User: ddd\uuuuuu Computer: hhhhhhh.ddd.ddddd.ddd Description: Certificate enrollment for Local system failed to enroll for a MyDomainControllerAuthentication certificate with request ID 423 from hhhhhhh.ddddd.ddd\hhhhhhh-ca (The specified account does not exist. 0x80070525 (WIN32: 1317)). From the CA side, we see the following: Log Name: Application Source: Microsoft-Windows-CertificationAuthority Date: 6/7/2012 10:09:31 AM Event ID: 53 Task Category: None Level: Warning Keywords: Classic User: SYSTEM Computer: hhhhhhh.ddddd.ddd Description: Active Directory Certificate Services denied request 423 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for ddd\ hhhhhhh$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=hhhhhhh,OU=Domain Controllers,DC=ddd,DC= ddddd,DC=ddd ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of 'DC= ddddd,DC=ddd' From my perspective it looks like the CA is asking the wrong domain for the account information.

I don't appear to be smart enough to figure out how to add a screen shot. This is how it looks from the event viewer: First the authentication happens to the CA Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 6/7/2012 10:09:30 AM Event ID: 66 Task Category: None Level: Information Keywords: Classic User: ddd\uuuuuuu Computer: hhhhhhh.ddd.ddddd.ddd Description: Certificate enrollment for Local system is successfully authenticated by enrollment server hhhhhhh. ddddd.ddd\hhhhhhh-ca The next event we see is the rejection. This is the event from the requesting side. Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 6/7/2012 10:09:31 AM Event ID: 13 Task Category: None Level: Error Keywords: Classic User: ddd\uuuuuu Computer: hhhhhhh.ddd.ddddd.ddd Description: Certificate enrollment for Local system failed to enroll for a TexteltekDomainControllerAuthentication certificate with request ID 423 from hhhhhhh.ddddd.ddd\hhhhhhh-ca (The specified account does not exist. 0x80070525 (WIN32: 1317)). From the CA side, we see the following: Log Name: Application Source: Microsoft-Windows-CertificationAuthority Date: 6/7/2012 10:09:31 AM Event ID: 53 Task Category: None Level: Warning Keywords: Classic User: SYSTEM Computer: hhhhhhh.ddddd.ddd Description: Active Directory Certificate Services denied request 423 because The specified account does not exist. 0x80070525 (WIN32: 1317). The request was for ddd\ hhhhhhh$. Additional information: Denied by Policy Module 0x8007208d, The requester's Active Directory object could not be retrieved. CN=hhhhhhh,OU=Domain Controllers,DC=ddd,DC= ddddd,DC=ddd ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of 'DC= ddddd,DC=ddd' From my perspective it looks like the CA is asking the wrong domain for the account information.

Based on the error message, it seems that the CA cannot restrieve the information from the forest well. If both DCs and CAs are running Windows 2008 R2, and the clients are running Windows 7. I suggest you can export the related AD information (CN=Public Key Services) from A forest, and then import it to the B forest to implement the auto-enrollement. Please let me know how you deloy cross-forest, and list the general steps. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Based on the error message, it seems that the CA cannot restrieve the information from the forest well. If both DCs and CAs are running Windows 2008 R2, and the clients are running Windows 7. I suggest you can export the related AD information (CN=Public Key Services) from A forest, and then import it to the B forest to implement the auto-enrollement. Please let me know how you deloy cross-forest, and list the general steps. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I use the PKISYNC.PS1 file to move everything each time I modify a template. Should that have already put me in sync between the two forests? I think the issue is the CA getting confused about where to go for the information, or is not getting to the information for some reason if it is going to the right place.

I use the PKISYNC.PS1 file to move everything each time I modify a template. Should that have already put me in sync between the two forests? I think the issue is the CA getting confused about where to go for the information, or is not getting to the information for some reason if it is going to the right place.

Experiencing exactly the same issue here; full 2 way forest trust between 2 2008R2 forests. Manual enrolment from the resource forest works fine but the autorenrolment fails for DCs as well as for clients. I also use the PKISync script to keep the forests in sync using a scheduled task. It looks like the integration with LDAP is not smart enough to look in the resource forest.

Experiencing exactly the same issue here; full 2 way forest trust between 2 2008R2 forests. Manual enrolment from the resource forest works fine but the autorenrolment fails for DCs as well as for clients. I also use the PKISync script to keep the forests in sync using a scheduled task. It looks like the integration with LDAP is not smart enough to look in the resource forest.

I am getting to the point where I am pretty sure it is a bug, but I don't have a premier account so I don't have any way to escalate the issue. I know Microsoft keeps pretty close tabs on the forums, so I am hoping they will see this and look into a solution. My resource forest is small, so I can manually enroll and it works out for me. If I had a larger resource forest I would have a serious issue. Just curious. My resource forest is a DNS sub domain of my primary forest that contains my CA. I am wondering if you have the same configuration. I am wondering if it is seeing that as one forest because the resource is a sub domain but still a seperate forest. If I had named the resource forest something totally different I am wondering if that would have made a difference. For example: If you have a forest named: MyDomain.Local and a resource forest named Testing.MyDomain.Local does that cause an issue. Would it have worked if I had change the resource to Testing.Local? Just a guess.

I am getting to the point where I am pretty sure it is a bug, but I don't have a premier account so I don't have any way to escalate the issue. I know Microsoft keeps pretty close tabs on the forums, so I am hoping they will see this and look into a solution. My resource forest is small, so I can manually enroll and it works out for me. If I had a larger resource forest I would have a serious issue. Just curious. My resource forest is a DNS sub domain of my primary forest that contains my CA. I am wondering if you have the same configuration. I am wondering if it is seeing that as one forest because the resource is a sub domain but still a seperate forest. If I had named the resource forest something totally different I am wondering if that would have made a difference. For example: If you have a forest named: MyDomain.Local and a resource forest named Testing.MyDomain.Local does that cause an issue. Would it have worked if I had change the resource to Testing.Local? Just a guess.

Interesting point. I too have the setup of a contiguous namespace but 2 different forests. Unfortunately no premier support here either. Lets hope someone from Microsoft is watching.

Interesting point. I too have the setup of a contiguous namespace but 2 different forests. Unfortunately no premier support here either. Lets hope someone from Microsoft is watching.