Cert Publishers scope changed from Global to Domain Local in Windows Server 2003

When you create a new domain installing Windows Server 2003 as a first DC, Cert Publishers group is created as a Domain Local group. However, in domains which have been created as Windows 2000 domains and later been upgraded to Windows 2003, Cert Publishers group is a Global group.
Note the following:
- in Windows 2000 domains, Cert Publishers group has a Global scope
- in domains that have been initially installed as a Windows 2000 domains (that is, the first DC installed for the domain was a Windows 2000 DC) and later upgraded to Windows 2003, the group scope does not change and remains Global
- in domains that have been ininitally installed as a Windows 2003 domains (that is, the first DC installed for the domain was a Windows Server 2003 DC), the group scope is Domain Local

Initially, the Cert Publishers group was designed as a Global group. Howewer, such design has resulted in several issues appearing when the only certification authority (CA) is used in a multi-domain environment. These issues are described in Knowledge Base articles referenced below.

The behavior is by design.

Cert Publishers  is a special group that is created automatically when a new Active Directory domain is installed. This group is granted permission in it's own domain tthat allow its members to publish certificates for user objects in Active Directory. When a certification authority (CA) is installed in a domain, it is automatically added to the Cert Publishers group of that domain.
In Windows 2000, Cert Publishers group was created as a Global group. Such design required some additional configuration in order to allow certificates to be published in a trusted domain environment where users requesting certificates and CA issuing them are located in different domains. Since Cert Publishers group is only given permissions in its own domain, when a user from another trusted domain requests a certificate, the CA that is issuing it will not be able to publish that certificate because it does not have permissioins to modify appropriate property of the user object in a trusted domain. Such scenarios required an additional manual configuration described in the following KB articles:
 
   281271 Windows 2000 Certification Authority Configuration to Publish Certificates in Active Directory of Trusted Domain
   219059 Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain
   300532 Windows 2000 Enterprise CAs Not Added to Certificate Publishers Group in Windows Server 2003 Domain

In Windows 2003, Cert Publishers group is created with Domain Local scope. Since objects from other domains can be added to a group with Domain Local scope, additional configuration referenced above is no longer required. You can now add the computer account of the certification authority (CA) into the Cert Publishers group of any trusted domain, and that will grant the certification authority permissions to publish certificates for users in that domain.