Cross Forest certificate Enrollment problem

%3CLINGO-SUB%20id%3D%22lingo-sub-1899017%22%20slang%3D%22en-US%22%3ECross%20Forest%20certificate%20Enrollment%20problem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1899017%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20two%20forest%20setup%20with%20two%20way%20trust(ForestA%20and%20ForestB).%20in%20ForestB%20there%20is%20a%20child%20domain(ForestBchild)%3C%2FP%3E%3CP%3EI%20have%20successfully%20setup%20Cross%20forest%20enrollment%20in%20both%20forest.%20CA%20is%20on%20ForestA%20and%20forestB%20don't%20have%20CA.%3C%2FP%3E%3CP%3EI%20tested%20issuing%20workstation%20authentication%20template%20with%20security%20settings%20domain%20computers%20auto%20enroll%2C%20enroll%20and%20read%20for%20all%20forest%20and%20child%20domain.%3C%2FP%3E%3CP%3EIn%20ForestB(parent%20domain)%20computers%20are%20deployed%20by%20the%20certificate%20but%20in%20the%20child%20some%20were%20failed%20error%26nbsp%3B%3CSTRONG%3E%22Denied%20by%20Policy%20Module%200x8007202b%2C%20The%20requester's%20Active%20Directory%20object%20is%20not%20in%20the%20current%20forest.%20Cross%20forest%20enrollment%20is%20not%20enabled%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20must%20be%20the%20problem%20with%20my%20setup%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1899017%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1922083%22%20slang%3D%22en-US%22%3ERe%3A%20Cross%20Forest%20certificate%20Enrollment%20problem%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1922083%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280839%22%20target%3D%22_blank%22%3E%40christian31%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20came%20across%20this%20thread%20on%20TechNet%2C%20maybe%20it%20will%20help%20you%20%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fie%2Fen-US%2F59393068-76ff-46df-874e-ae19057ea223%2Fserver-2012-r2-quotcross-forest-enrollment-is-not-enabledquot%3Fforum%3Dwinserversecurity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fie%2Fen-US%2F59393068-76ff-46df-874e-ae19057ea223%2Fserver-2012-r2-quotcross-forest-enrollment-is-not-enabledquot%3Fforum%3Dwinserversecurity%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThierry%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

I have a two forest setup with two way trust(ForestA and ForestB). in ForestB there is a child domain(ForestBchild)

I have successfully setup Cross forest enrollment in both forest. CA is on ForestA and forestB don't have CA.

I tested issuing workstation authentication template with security settings domain computers auto enroll, enroll and read for all forest and child domain.

In ForestB(parent domain) computers are deployed by the certificate but in the child some were failed error "Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest. Cross forest enrollment is not enabled"

 

What must be the problem with my setup?

2 Replies
Highlighted
Highlighted
Hi!

I have seen this link and knowing that my setup is working on other computers. I don't know whats wrong since some computers was successsfully deployed by the CA and some were not. with that error message in the failed request in the CA server in forestA