Managed Directory - Domain Controller Enrollment Failing - Smartcard RDP Auth fail

Hello, A little background, we are attempting to roll out a new stand-alone directory to enable smartcard RDP authentication for a pool of existing servers. I have deployed an AWS Managed Directory and domain-joined Enterprise Root CA and set up the GPO/drivers required by our smartcard vendor. Where we are getting stuck at is it does not look like the domain controllers are receiving the new Kerberos/Domain Authentication certificate which was published. There is open communications between the DC and CA. I know that I can't just request the certificate from the domain controller Certificates snap-in. We published the template and set a group policy for enrolling the certificate, yet it does not appear in either of the DC certificate stores. Has anyone else run into this? Our smartcard RDP authentication is failing, I assume because kerberos/dc auth is failing. It seems like the options for doing this outside of GPO are limited by AWS, are there any common issues which would prevent the DC from enrolling, and by extension causing smartcard RDP session auth to fail? Since this is a test setup before deploying to production, I am using a single tier enterprise root CA, although we plan to use a 2-tier PKS for the final product.