We have an RODC in a DMZ that is unable to request a KerberosAuthentication certificate. The request is made, but denied :
Log Name: Application
Date: 5/20/2019 4:14:45 PM
Event ID: 53
Task Category: None
Active Directory Certificate Services denied request 46875 because The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE). The request was for <domain>\RODC$. Additional information: Denied by Policy Module
Our issuing CA is a member server inside the domain. Everyone is running W2K12 R2.
Our DC's on the internal network have been issued KerberosAuthentication certificates. It's only the RODC's on the DMZ that are getting "Denied by Policy Module".
Our RODC's do have two other certificates (that have both auto-renewed since originally issued from this same CA). So I don't "think" it's a firewall issue.
I've found some discussions where it was recommended to update the membership of "CERTSVC_DCOM_ACCESS" on the CA . I've not changed anything yet, since none of our DC's are in that local group. It's only member is "NT AUTHORITY\Authenticated Users".
In those same discussions, there was a suggestion to check DCOM permissions on the CA. Our permissions match what was described. So strike #2.
Does anyone have any other suggestions of where things could be amiss?
I'm waiting to hear from our network engineer to make sure there's not a firewall issue I'm not aware of.