Hi there, following configuration: Multi forest environment with a domain de and a domain lux. A pki has been installed in the de domain on a Windows Server 2008 R2. In the de domain 2008 DCs are in place. In the lux domain a few 2003 DCs are in place. Ports DCOM/4000, RPC/135, HTTP/80 and HTTP/443 are opened from clients in the lux domain to the CA in the de domain. Problem: Certificate (auto and manual) in the de domain works fine. Manual certificate enrollment in the lux domain through MMC fails because the Certificate Enrollment Policy can not be retrieved. Looking in the firewall logs I can see that clients in lux are trying to contact the DC in the de domain. Question: Do I need to open the LDAP (389) port on the firewall in the lux domain to enable clients in this domain requesting certificates from the CA in the de domain? Are there other additional ports necessary? Regards, HansenCh

Hi, I suggest that you refer to the following guide: AD CS: Deploying Cross-forest Certificate Enrollment http://technet.microsoft.com/en-us/library/ff955845(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, thanks for the reply. I already had a look into this guide. However, did not find any suitable answers for my issue. In the meantime I opened the LDAP ports to the root domain, and everything works fine.