Active Directory : Publish Third Party CA Certificate / Offline Standalone RootCA in Active Directory
In order to ensure that your certificiate chain is valid when using an offline RootCA or Tird Party RootCA you must publish the CA certificate in Active Directory. This will replicate the certificate to all machines in the domain, ensuring that the chain is indeed valid for all clients.
To achieve this, export the certificate in DER format and then use the following command to import it into AD: certutil -dspublish -f file_name.cer RootCA
You can test replication by forcing a Group Policy refresh on a client, the cetificate should be replicated as part of this operation.