The *DCH Root CA* certificate needs to be trusted on all hosts, as most internal communication is secured with certificates it has issued.
Dustin