I’m having trouble with AD CS: Deploying Cross-forest Certificate Enrollment. I’ve followed the article’s for 2012 r2. Things just don’t seem to work.
Right now I can see certificates assigned to a user. I am getting an error about the certificate chain.
I had used dspublish to put my ROOTCA’s and intermediate ca’s crt and Crl in.
Can anyone verify what dspublish commands to use and which certs and crls would be required? Maybe I didn’t publish the certs everywhere or used a wrong switch. A working example would be amazing.
Also in lab I have everything deployed and it works for workstation certs. It is failing for user certs. The error says it cannot find the directory object. It seems like maybe I need to do something with referrals but I don’t know what to do.

Some extra details:
We have two forests with a full trust relationship
I have one cert server in one forest. I install the addition roles all on the same server. When I installed I didn’t use a service account and opted for machine account. Delegation is setup.