This seems to work, in that each server has gone through the auto-enrollment process.
The problem is that when I connect with an RDP client, I receive a certificate warning stating:
A revocation check could not be performed for the certificate
Looking at the certificate details, I can see it's the correct certificate for the machine, and it has been signed by the CA root, which I have installed and trusted. The CRL Distribution Points entry on the certificate states:
URL=ldap:///CN=domain-ad-CA,CN=host,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=example,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=domain-ad-CA,CN=ad,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=thomsonreuters,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint) The root CA cert has no CRL location listed.
At a guess, the client is attempting to contact the LDAP url and failing, but it's not clear why this should be. How do I get the client to perform revocation checks?