I'm in the process of trying to set up an NDES in a 2008R2 PKI environment (3 tier with Root, Intermediate and 3 Issuing CAs). I have the CA ready to go with my domain admin account also set up as an Enterprise admin (during NDES setup I enter this account as the user account for NDES to use) . During set up, I get to the point where I need to select the CA and it comes back saying: "Insufficient access rights to perform the operation , 0x80072098 , (win32:8344)". All of the servers are in the CertPublishers group. The domain is (server).(ChildDomain).(ParentDomain).local if this makes a difference. In a Technet document I found it states: "During setup certificates are requested for NDES based on the Exchange Enrollment Agent (Offline Request) and the CEP Encryption certificate templates, which are required during setup. ". I try and add access to the above mentioned default templates for the NDES machine but it comes back with the error: "Unable to save permission changes on EnrollmentAgentOffline. A referral was returned from the server ". I'm not sure if this is the solution though. If someone could point me in the right direction that would be good. Thanks

Any ideas?