Hello,
I need some light while troubleshooting certificate request for 1 particular user that has SIDHistory attribute due a recent migration (with ADMT) from one child domain to another.
My scenario is composed by:
- 1 Issuing CA un the parent forest located at HUB.
- Each child domain has a DR Domain Controller also located at HUB. Then each region have their DCs remotely where end users authenticate.
- 2 certificate templates that are accesible for user of a particular group, lets call it GroupA
This 1 particular user is member GroupA and AD replication is in place in all DCs from this child domain, I've confirmed via repadmin /showattr CHUILD-DC* "distiniguedName" and group membership is ok.
The user in the previous child domain is no longer existing and had any cert issued before at the issuing CA, therefore there is only 1 user.
When user request manually the cert templates, we click on "Show all templates" and we can see that is CA is not allowing the request because user has no rights.
I've checked via ADSI Edit, Global Catalog option, that at the user object, the global catalog don't contain details for group membership.
Questions:
How can I confirm from the Issuing CA what attibutes of the user object is seeing?
Does the CA check group membership from the closest DC for the child domain or does it check from the closest DC in the parent domain from Global Catalog