Hi Chris,
The behavior lines up with a permissions gap on the certificate template rather than CA or DNS. When the server is promoted, its computer account leaves the Domain Computers group and relies on Domain Controllers membership; if your “Domain Controller Authentication” template only grants Enroll/Autoenroll to Domain Computers (or a custom group), the request comes in under a principal the CA/template can’t resolve, which surfaces as 0x80070525 (ERROR_NO_SUCH_USER).
Open the template on the CA (certtmpl.msc) and check the Security tab. Make sure Domain Controllers and ideally Enterprise Domain Controllers have at least Read + Enroll + Autoenroll permissions; also keep Authenticated Users with Read so the template is discoverable. After adjusting, run gpupdate /force and certutil -pulse on the 2022 DC, or restart the Certificate Services Client – Auto-Enrollment task to trigger a fresh request.
If it still fails, confirm the template isn’t scoped to an older compatibility mode that restricts KSP/CSP usage, and verify the CA’s Security tab allows “Request Certificates” for Domain Controllers. Given that standalone 2022 members enroll fine and 2012 DCs work, this is almost certainly the group permission change post-promotion rather than PKI core issues.
Domic V.