Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012

I have the following AD configuration:

rootca (standalone not domain connected)

• mydom.local
  • dc1.mydom.local
  • svr1.mydom.local
  • subca.mydom.local(enterprise subordinate CA)
  • other.mydom.local
    • dc1.other.mydom.local
    • svr1.other.mydom.local

I can register webserver certificates OK for svr1.mydom.local, however I log into svr1.other.mydom.local with the child domain administrator and I get the following error:

Permissions on the certificate template do not allow the current user to enroll for this type of certificate (0x80094012)

I think this must related to permissions however I am not sure how to proceed - what is the best practice to allow child domain administrators to request certificates from the subordinate CA located in the parent domain?

My inf file is below:

[NewRequest]
Subject="CN=svr1.other.mydom.local"
Exportable=TRUE
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[RequestAttributes]
CertificateTemplate = WebServer

and i am running the following commands on svr1.other.mydom.local as [email protected] below:

certreq -new c:\svr1.inf c:\svr1.req
certreq -submit c:\svr1.req c:\svr1.cer ; I get the error here

thanks, the user requesting is the child domain administrator, looking at template permissions I see enterprise and domain admins, is it acceptable/good-practice to add the child domain admin group to these permissions?

I'm not sure if this is a good-practice scenario. Seems like the only option for someone to use a template to enroll a cert is to have permission to do so. It's not as if you have another choice for where the templates are located or which template location to use.