Link to home
Start Free TrialLog in
Avatar of Tuki
Tuki

asked on

Certificate enrollment failure, RPC server is unavailable. 0x800706ba.

Hello,


I have inherited a system with two ad sites in different subnets.
Site A has two domain controllers, 2003 std and a new dc with 2008R2 std installed.

Site B has one Windows 2008 std DC with CA service installed.

Windows Firewall has been disabled in all DC´s.

Both site A DC´s have problems with domain controller sertificate. The DC with CA service installed has no problems to obtain domain controller certificate.
Freshly promoted 2008R2 DC in site A show´s the following application log errors:

Event ID 13:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from servername.domain.dom\domain-servername-CA (The RPC server is unavailable.

0x800706ba (WIN32: 1722)).

Event ID 6:

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

The old Windows 2003 DC event log shows:

Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.


The sites are connected with ISP provided connection.




I have googled and tried the following advices:



1. A) In Certificate Template snap-in, right click the certificate template “Domain Controller Authentication” and ensure that Domain Controllers and ENTERPRISE DOMAIN CONTROLLERS groups has the

Enroll and Autoenroll permissions, Authenticated Users has Read permission.

A: Yes, both are listed with correct rights.



   B)  Verify that Authenticated Users is member of the Certificate Service DCOM Access group.

A: Yes, Authenticated users is lited in Certificate Service DCOM Access group. As also domain controllers, domain users and doman computers.



2. In my case, it was not sufficient to add the "Domain Controllers" to the active directory group. I additionally had to add the group in the Security settings of the CA itself. Open CA management

console from "Administrative Tools". Right-click the server name and select "Properties". Select security and add group "Domain Controllers". Select checkbox "Request Certificates" and click OK.

A: Domain controllers is allready listed there with read and request rights.



3. - Verify that CERTSVC_DCOM_ACCESS has been added to the DCOM Security Limits on the CA.

    a. Click on Start, then Programs, then Administrative Tools, the Component Services.

    b. Expand the Component Services node.

    c. Expand the Computers node.

    d. Right-click on My Computer and select Properties from the context menu.

    e. Click on the COM Security tab.

    f. Under Access Permissions, click Edit Limits.

    g. Verify that the CERTSVC_DCOM_ACCESS group has been granted Allow Local Access and Allow Remote Access permissions.

    h. Click Cancel.

    i. Under Launch and Activation Permissions, click Edit Limits.

    j. Verify that the CERTSVC_DCOM_ACCESS group has been granted All Local Activation and Allow Remote Activation permissions.

    k. Click Cancel.

    l. Click Cancel.

    m. Close Component Services


A: I checked the component services and both "Edit Limits" and "Access permissions" have certificate dcom access -group listed with correct rights.

4. Define read and execute permissions for Authenticated users on C:\windows\system32\certsrv

A: Yes, autheticated users has read and execyte for certsrv folder.

Long post, but the problem still exists. Help appreciated, thanks.







ASKER CERTIFIED SOLUTION
Avatar of Tuki
Tuki

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial