Background: DC1: 2008 R2, DC2: 2012 R2, Forest/Domain Level: 2008 R2. Existing 2008 Two Tier CA installed. New Install in parallel of 2012 R2 Two Tier CA. So I currently have two different CAs installed (Old 2008 CA, New 2012 R2 CA). I can issue certificates from the new 2012 R2 Sub-CA however they are not being published in AD.
Looking at the Event log on the 2012 R2 Sub-CA, I have the following: Event ID 80
Active Directory Certificate Services could not publish a Certificate for request 11 to the following location on server DC2.domain.com: CN=Craig,OU=Employee,DC=domain,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS).
ldap: 0x32: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Looking at PKIView > Manage AD Containers > Certification Authorities Container: I see the 2008 Root CA and an expired 2008 Sub CA certificate however I do not see the new 2012 R2 CAs listed. In the other tabs the 2012 R2 Sub-CA is listed where appropriate.
NOTE: When I first checked PKIView I found an error associated with the DeltaCRL Location #2 which has been resolved. I had a typo in the http url.
I checked some basic permissions which appear to be correct and ran certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FL
AG, however I seem to be stuck with this error.