CA configuration to publish certs in AD



My Enterprise Root CA can't publish certificates to AD which are issued
for users in the child domain. I receive the following warning in the
event log:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 02.10.2006
Time: 13:18:16
User: N/A
Computer: RootDomainDC
Description:
Certificate Services could not publish a Certificate for request 66 to
the following location on server ChildDomainDC: ChildDomainUser.
Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344). ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

The Enterprise Root CA is located on the DC in the root domain. I found
the following KB Article:
"Certification Authority configuration to publish certificates in Active
Directory of trusted domain" [Q281271]

In step number five - Delegate Control - on the child domain controller,
they describe how to add the "Cert Publishers" group from the parent
domain. But I can't add (find) this group, because the scope is set to
"domain local"!? I changed the scope to "universal" by using "dsmod" and completed step number five and six as described. However, the warning does still appear!

I'm also confused on step number 3. I have only the windows default exit module with the property "allow certificates to be published to the *file system*" and nothing like "...published in the *Active Directory*" as described in the KB article.

Thanks in advance
Patrik



.