When deploying Cross-forest Certificate Enrollment with Windows Server 2008 R2, one of the steps is to add the issuing CA to the "Cert Publishers" group in the domains which will be auto-enrolling with the new CA. Ran into a small issue at a client in which that wasn't possible because the "Cert Publishers" group was a domain global group, which can only contain members from the domain in which the group exists.
To get around this, you have to modify the "Cert Publishers" group to be a domain local group. This is the default for all domains created as Windows Server 2003 or new, but for Windows 2000 domains, it was created as a domain global group. This design change is detailed in this KB article.
The UI does not allow you change the group scope for this group; changing the scope can still be done with dsmod. Use the following syntax:
dsmod group <DN of Cert Publishers Group> -scope l
For example:
dsmod group "CN=Cert Publishers,CN=Users,DC=domain,DC=com" -scope l
Full details on using dsmod to change the scope can be found here.