Link to home
Start Free TrialLog in
Avatar of Dave Lewis
Dave LewisFlag for United States of America

asked on

the rpc server is unavailable 0x800706ba (win32: 1722 rpc_s_server_unavailable) when enrolling certificates to MS Certificate Authority

Backstory:
In order to issue certificates to local domain systems, a Systems Admin stood up a MS CA instance on a server 2012R2 server which was also one of two Domain Controllers for the domain. The The initial CA was not correct, so he rebuilt it on the SAME machine using a difference CA name. When things didn't go right again, he rebuilt a third instance on the SAME computer, again giving it a new name. There were three root authorities, one of which actually worked most of the time. CA, CA-1, and CA-2.

The first time I noticed that there was a problem was when I was tasked with configuring the domain for Multi-Factor Authentication and auto-enrollment of computers and users. I knew nothing about CA's so I took to reading and discovered that the first SA had installed the root authority on the wrong place. After reading MS articles and papers about moving from one computer to another, I stood up a Server 2016 instance and restored the CA-2 onto the new computer. I removed MSCA from the DC and went through the steps of decommissioning the old CA server by removing the entries in Sites and Services. When I run certutil, I get only one entry in the dump and it is the correct server. Web services have been operating fine and certificates are validated at the CA. As far as I knew, I had successfully relocated the Cert Authority to a new server off of the DC.

I used the CA to issue a cert to our Exchange Server and everything was fine for almost a year. Recently, after restarting the exchange server for updates, there began to be errors on the server and mail was not flowing. The errors pointed to SSL cert problems. During troubleshooting, we found that certificate renewal was not taking place. I then attempted to auto-enroll a different computer and it failed. I then attempted a manual enrollment, and that too failed.

The errors are all the same, RPC errors  (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
On the Exchange Server, the event ID's are 82 and 16.
On the client the errors are Event IDs 82 and 13.

Per various articles I have verified that port 135 is open both directions between server and clients. I have verified that the Domain Users, Domain Computers, and Domain Controllers groups are in the Certificate Service DCOM Access Local Group. I also ran the certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATE_FLAG command which did not appear to change anything when I compared the getreg results before and after. In order to ensure that traffic was indeed getting to the CA server, I ran wireshark and watched the connections take place. There is an error during the transaction at which point I am stuck. The message "nca_s_fault_access_denied" is in the data. All my searches regarding this error point back to the same results as I have already gone through, excepting one search which recommended running dcomcnfg and verifying proper group permissions were set, which they were.

I am at a loss and would be grateful for any knowledge someone can supply.

If I must restart with a new CA, is there a way to keep from re-issuing the certs already issued by this current one by keeping the root cert valid until I can get everything moved over?

Thank you
Avatar of Dave Lewis
Dave Lewis
Flag of United States of America image

ASKER

Update - I was successful in enrolling a user certificate. There is no change in the problem with computer certificates, from clients or the DCs.
ASKER CERTIFIED SOLUTION
Avatar of Dave Lewis
Dave Lewis
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial