What do we need to know to issue web server certificates from a 2003 CA server in this.company.com active directory domain to 2008 servers in the that.root.company.com AD domain? We will have users in the this.company.com domain using the machines in the that.root.company.com domain. Will we be able to do auto enrollment? I will have to do about 200 of these servers. Sorry I don't have more detail as this is all I know from the developers so far and I am trying to prepare for those certificate requests. But I can pass on specific questions. For the purpose of this discussion our three domains are root.company.com (root domain obviously) that.root.company.com (child domain under the root) and this.company.com (this separate domain not a child of root)

Are the domains in a single forest or multiple forests?If they are in the same forest, then you will be able to do autoenrollment/etc with no problemsYou just need to:1) Set permissions on teh certificate template so that each domain has global groups/universal groups assigned Read, Enroll and Autoenroll permissions2) The certificate templates are available at one of the issuing CAs in the forest3) Autoenrollment is enabled for users in each domain.If the this company.com domain is a separate forest, then you will not be able to issue with a 2003 CA.For cross-forest enrollment, see the following whitepaper for details http://www.microsoft.com/downloads/details.aspx?familyid=D408BE72-7C74-4B19-A2DE-FA11858C30B2&displaylang=en Brian

Perfect, thank you Brian, you should write a book or something, jk and yes all domains are part of the same forest, I apologize I should have mentioned that, instead I was too busy making up generic domain names to protect the innocent

In the same forest this is real easy.Two thing to watch1) Certificate template versions. I recommend creating a custom Universal group for each certificate template, assign the universal group Read, Enroll (and autoenroll if required permissions). Then create a global group in each domain in the forest, add the global groups to the universal group.2) Make sure the CA computer account is in each domain's Cert Publisher's group (assuming it is a domain local group)3) If you do autoenrollment, ensure that the Autoenrollment GPOs are linked to each domain in the forestBrian