none
Error: the RPC server is unavailable. 0x800706ba

    Question

  • I have a domain controller that is also a CA running Windows 2008 R2 Enterprise SP1.

    Any attempt to enroll a certificate remotely fails, with; “Error: the RPC server is unavailable. 0x800706ba (WIN: 1722)”

    The only thing I can think of that has changed the firmware on the network and iLO; which are in the same port. The server is a HP DL320 G6. All other commination is working.

    I checked the security setting in COM security, the setting are correct. The members of the group Users are correct.

    Any other ideas?

    Thursday, August 08, 2013 10:41 PM

Answers

  • Hi,

    you should check if you can ping the server with his Windows hostname and with the fully qualified name. Also check if the firewall is activated or not.

    If you run the ping it is not important to see replies, but for both pings you should see that it is pinging the same IP address. And that IP address must be the IP of your CA server. Run the ping from the same machine where you see the 1722 error and from one other machine as well (as verification).

    Then run certutil.exe -ping Windowshostname and certutil -ping fqdn from those machines as well. If okay you should see this:

    Connecting to  ...
    Server "yourCAname" ICertRequest2 interface is alive
    CertUtil: -ping command completed successfully.

    Regards,

    Lutz

    • Marked as answer by Carl Maschke Friday, August 09, 2013 4:18 PM
    Friday, August 09, 2013 1:11 AM

All replies

  • Hi,

    you should check if you can ping the server with his Windows hostname and with the fully qualified name. Also check if the firewall is activated or not.

    If you run the ping it is not important to see replies, but for both pings you should see that it is pinging the same IP address. And that IP address must be the IP of your CA server. Run the ping from the same machine where you see the 1722 error and from one other machine as well (as verification).

    Then run certutil.exe -ping Windowshostname and certutil -ping fqdn from those machines as well. If okay you should see this:

    Connecting to  ...
    Server "yourCAname" ICertRequest2 interface is alive
    CertUtil: -ping command completed successfully.

    Regards,

    Lutz

    • Marked as answer by Carl Maschke Friday, August 09, 2013 4:18 PM
    Friday, August 09, 2013 1:11 AM
  • Hello,

    RPC errors often belong to firewall rules so disable all firewall rules and check again. If it works you are sure its the firewall.

    Also assure to  use ONLY the domain DNS servers on ALL domain machines and NOT external ones like the ISPs DNS server. Please post an unedited ipconfig /all from the DC/DNS servers and one client with problems.

    Keep in mind that CA on DCs is not recommended, a CA should always run on domain member servers instead.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, August 09, 2013 6:38 AM
  • Hi Carl,

     

    Here are some good articles about troubleshooting RPC errors:

    How IT Works

    http://technet.microsoft.com/en-us/magazine/2007.07.howitworks.aspx

    Troubleshooting AD Replication error 1722: The RPC server is unavailable

    http://support.microsoft.com/kb/2102154/en-gb

     

    I hope this can help you solve your problem!

    Best Regards,

    Amy Wang

    Friday, August 09, 2013 1:07 PM
    Moderator
  • This is usually caused by one of the following:

    1. Blocked of filtered ports. The needed ports are in this blog and you can use PortQryUI to check them: http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
    2. Local security software: You can disable them temporary for checks
    3. DNS resolution: Make sure that you are able to do properly DNS resolution using nslookup

      As Meinolf mentioned, it is not recommeneded to have a CA on a DC.

      For more details, consider asking them in Security forum: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity&filter=alltypes&sort=lastpostdesc

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Friday, August 09, 2013 2:31 PM
  • Hello,

    Make sure if your CA is reachable and has correct DNS records (DNS Name resolution).

     

    Also make assured if applicable firewall exceptions are enabled.

     

    Refer: Firewall Rules for Active Directory Certificate Services

     

    http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

     


    Devaraj G | Technical solution architect

    Friday, August 09, 2013 2:53 PM
  • The firewall is enabled and was only supposed to block one small range of addresses. I toggle some firewall setting and now things are working again. It is rather embarrassing that I did not check the firewall first. The server was reachable in all other ways, even ICMP.

    I also updated all HP software on the server; however, I do not think that is what fixed the issue.

    Friday, August 09, 2013 4:15 PM
  • Hello,

    good to hear that you found it. Thanks for the feedback.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, August 10, 2013 2:48 PM