Parent Domain Certificate Authority For Child Domains

Question

I have a parent domain and 2 child domains of that parent. All servers are Windows Server 2019. I am working on deploying security software and I need to obtain a valid certificate from the Certificate Authority. The Certificate Authority is on a server on the Parent Domain.

When I go to obtain a computer certificate on a Child Domain machine the computer shows no templates or locations to pull the certificate from. I am able to pull a certificate from the CA on a machine on the parent domain without a problem.

Is there some way to pass the ability to pull a computer certificate for the child domain computer from the parent CA?

Answer 1

There are several options how to accomplish this and all are group membership related. The easiest option would be to add "Domain Computers" group from child domain to certificate templates permissions and grant required permissions (Read, Enroll and, possibly, Autoenroll).

However, I would use more AGLP-oriented approach:

• in forest root domain, create a universal security group called "Enterprise Domain Computers"
• Add "Domain Computers" and "Domain Controllers" groups from all, root and child domains to this new "Enterprise Domain Computer" universal group

Then, in certificate templates console (certtmpl.msc), select properties of desired template, navigate to Security tab and assign permissions to this new universal group.

This may take some time until all DCs will replicate groups and membership updates. In addition, a computer must be restarted in order to pick new group membership, or wait for up to 10 hours until kerberos ticket is updated.