Turns out there are some bugs in the CA install.
Our environment:
This is actually documented in the SP1 release notes:
Our environment:
- Empty root domain
- Domains all initally installed as 2000-Server
- All Domain Controllers now 2003 Server SP1
This is actually documented in the SP1 release notes:
Note that if the certification authority is installed on a domain controller, and the enterprise is made up of more than one domain, Certificate Services cannot automatically update the DCOM security settings for enrollees from outside the certification authority’s domain. Therefore, these enrollees will be denied enroll access to the certification authority.Which says so right there. But SP1 hasn't been out long enough for any KB articles to be out on this subject.
To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can add only domain groups to it. For example, if users and computers from another domain, a domain named Contoso, have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.