Okay I resolved my issues. It was difficult since the 2012 doc is incomplete and you have to borrow from the 2008 doc to figure it out.
The missing part from the 2012 doc is the adding of the certs. The best way to get the certs is to login to the CA Web Service and download the certificate chain. Save each certificate in the chain. Copy over to the other Forest and install. LDAP Referrals do need to be enabled.
REM Enable LDAP referral support on enterprise CAs. REM certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS REM RUN ON DC in remote domain REM Verify CA is working certutil -config "offlineROOTCA\Cert Root PKI" -ca.cert C:\Scripts\rootcapki.cer REM Install certs certutil -dspublish -f C:\Scripts\rootcapki.cer RootCA REM Publish enterprise CA certificates from the resource forest into the NTAuthCertificates and AIA containers in each account forest. REM Verify CA is working certutil -config "certsrv03.domain.com\Cert Issuing PKI" -ca.cert C:\Scripts\issuingpki.cer REM Install certs certutil -dspublish -f C:\Scripts\issuingpki.cer NTAuthCA certutil -dspublish -f C:\Scripts\issuingpki.cer SubCA
Also for my other error that was hard to figure out. The issue came up because we have a Forest that shares the same name space as another Forest. Basically we have overlapping forest names. Full trust and all that.
With this I had to learn about creating LDAP referrals in AD. The article below was so helpful because Microsoft just gave you a vb script.
To use ADSI Edit to create a cross-reference object
- In ADSI Edit, expand the Configuration container.
- Right-click the CN=Partitions container, click New , and then click Object .
- For Select a class , you can create objects of only class crossRef , which is already selected. Click Next .
- For the cn attribute, in the Value box, type a name that describes the location, and then click Next .
- For the nCName attribute, in the Value box, type the distinguished name for the external domain, and then click Next .
- For the dnsHostname attribute, in the Value box, type a DNS name for the server that hosts the domain directory partition, or type the domain name.
- When you are sure that your entries are correct, click Finish.