In a case I worked recently, we discovered a side-effect of the new cross-forest enrollment functionality that was implemented in Windows 7 and Windows Server 2008 R2.
In short; by default W7 and W2k8 R2 clients in child domains need to be able to make UDP LDAP queries (CLDAP) against DC's in the root domain of the forest. If this is blocked the enrollment process is halted for those clients.
This is related to the Certificate Enrollment Policy for the forest, by default it is pointing to DC's in the root domain.
Another symptom of this is that running certutil -template on a Windows 7 or Windows Server 2008 R2 client will fail with the error code 0x80094004.
The workaround is relatively simple; either allow CLDAP queries from the clients to the Root DC's or add a new CEP that points to a W2k8 R2 Web Enrollment Server in the child domain (the latter requires the forest to be running the W2k8 R2 schema).
Note: On Windows 8/Windows Server 2012 clients the behaviour is slightly different in that it still attempts the connection to the root domain but it will use the information from a DC in the child domain if it fails to connect to DC's in the root.
White paper on Windows Server 2008 R2 Enrollment Web Services:http://blogs.technet.com/pki/archive/2009/09/15/certificate-enrollment-web-services-whitepaper.aspx
by this article I maybe found the reason for our behaviour. We have one forest with one child domain with seperated name spaces. Members in child domain are not able to communicate direct with root domain controller, due to firewalls. Auto enrollment policy is activated and if we try a gpupdate /force we got an ldap bind error. During investigatons with netmon, I saw that the member server tries a ldap query to root DCs. But this is blocked via firewalls on WAN conection. Is it possible to use still LDAP for CA, but to point to DCs in child domain?
Thank you in advance
The current behaviour in Windows 7/W2k8 R2 is that the client attempts to contact a DC in the forest root domain via UDP LDAP to verify the GUID of the forest.
I.e. if UDP LDAP is blocked between clients in the child domain to the forest root DC's then autoenrollment is also blocked for clients in the child domains unless you use one of the workarounds specified.