I have a environment where 2 Subordinate Cas are installed in each domain. I can see that the clients from that domain are equally getting certificates form both. Who is doing round robin in this case? When clients discoverers Ca, and if AD replies, does it provide the name of Ca in round robin fashion? Second question, i understood that certificate authority is forest entity, then why my clients are getting certificates only from that domains Ca server? (Domain Computers is added in cert security template to read and enroll? is that the reason?) Any GPO setting, or any AD setting can tell clients, this is your domain, and this is your CA? OR, this template you need to get. Autoenroll is enforced on clients via GPO.