I get a certificate error when browsing to /certsrv/ while trusted root cert is installed

Try certutil -pulse - this should check for templates the system has permission in, and enroll them. It should have no problem grabbing the certificate, as long as there's nothing crazy going on in the permissions settings on the template.

You'll definitely want to have your DCs have a Domain Controller-style certificate (Domain Controller is the old one; Domain Controller Authentication then Kerberos Authentication supersede it; if your CA is running enterprise edition, then consider switching to the newer Kerberos template) - while a lot of the functions that it satisfies will be handled by a Computer certificate, some of the DC-specific stuff like smart card authentication, the LDAP/SSL listener (I believe?), and with the newer Kerberos certificate, strong KDC validation, need the special certificate.

kce, what the previous poster is hinting at is to verify the properties of the Machine template. It can be found at the 'Certificate Templates' snap-in. Find that template's properties and on the 'Subject Name' tab are the settings on how the Subject Name should be provided to the CA (e.g. 'Supplied in the request' or 'Built from information in Active Directory'.