This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 93%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I set up a quick lab with a couple of Windows Server 2022 hosts. The first host was promoted to a domain controller (dc-0.example.com) and a domain certificate authority was installed. That domain controller automatically enrolled itself for a certificate.
I then promoted the second host to a domain controller and configured it as a child domain in the above forest (dc-1.child.example.com).
However, the child domain controller is failing to auto-enroll for a certificate, with event id 53 from source CertificationAuthority.
Any idea why the parent domain controller thinks the child domain controller is in another forest?
Active Directory Certificate Services denied request 3 because A referral was returned from the server. 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL).
The request was for CHILD\DC-1$.
Additional information: Denied by Policy Module 0x8007202b, The requester's Active Directory object is not in the current forest.
Cross forest enrollment is not enabled. CN=DC-1,OU=Domain Controllers,DC=child,DC=example,DC=com ldap: 0xa: LDAP_REFERRAL: 0000202B: RefErr: DSID-0310079D, data 0, 1 access points
ref 1: 'child.example.com'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
Did you check if the root certificate is present in Trusted root certificate store of child domain controller ?
Please don't forget to mark helpful answer as accepted
Hi,
I think you nailed this one. I just checked now and both it and the domain controller certs are present.
The root must not have been fetched when the domain controller made its first two attempts. It looks like it successfully enrolled automatically 10 minutes ago.
Thanks for the insight.
Hi @ritmo2k
Glad to hear that your issue is fixed.
Please don't forget to mark helpful answer as accepted