I have a two tier PKI infrastructure with an offline root CA and two Enterprise Intermediate Certification Authorities setup to auto enroll certificates. I have setup auto enrollment in default domain GPO within Active Directory for machine certificates. The direct Access servers have a machine certificate from the first PKI server.
My issue is that if a client machine auto enrolls a certificate from the second PKI server Direct Access doesn't work. even though bother PKI servers should be chaining of the same root Direct Access only works when the machines certs are issues from PKI01 the same server the Direct Access servers certificate are issued from.
If I have a machine certificate from each PKI on the direct access servers it fails so I can only have one machine certificate.
Any ideas?? Thanks Steve