When using an external Management CA, an important configuration option is the web.reqcertindb in web.properties.
If this option is set to false, it will not be required to publish all of the administrator certificates issued by the Management CA into EJBCA.
However, if it is set to true, it is required to not only publish the certificates into EJBCA, but also they must be associated with an end entity.
It is not quite clear why the end entity must exist in such a case. This makes it a bit harder to keep the admin certs in sync, since you would need to have end entities present as well (i.e. simple publish to certificatedata table won't help).
This should be investigated, and perhaps this requirement could be dropped for web.reqcertindb=true - i.e. just rely on having valid certificate in CertificateData table.