Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Certificate (auto)enrollment works for all servers and clients except for domain controllers

Answered Certificate (auto)enrollment works for all servers and clients except for domain controllers

  • Thursday, July 05, 2012 6:42 AM
     
     
    Sign In to Vote
    0

    I have been in the process of setting up a PKI with root and issuing CA's. The (auto)enrollment works perfectly, except for the DC's in the environment. The error in the application log is: The RPC server is unavailable. 0x800706ba (WIN32: 1722).

    Why can't the DC's connect the CA server, while the other servers and clients can? What am I overlooking?

    Regards,
    Stephan

    You know you're an engineer when you have no life and can prove it mathematically

     

All Replies

  • Thursday, July 05, 2012 7:08 AM
     
     Answered
    Sign In to Vote
    1

    When giving "Domain Controllers" explicite permissions in the local security settings (via GPO) "DCOM: Machine Access Restrictions in Security Descriptor Definition Language" and "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language", the RPC error disappears. Now the event changes to: Access is denied. 0x80070005 (WIN32: 5)

    After making the "domain controllers"group member of the "Certificate Service DCOM Access" group and rebooting the CA servers, it works!

     
  • Friday, July 06, 2012 4:34 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Stephan,

    I'm glad to hear that you have the problem solved. Your shared experience and solution are appreciated. They can be helpful to other community members who face similar problems. 

    Have a nice day.

    Best Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

        
     
  • Friday, July 06, 2012 6:41 AM
     
     
    Sign In to Vote
    0

    Kevin,

    the thing I actually never realized is that "domain controllers" is not a member of "domain computers". At least in my environment. Is that normal in an Windows 2008 R2 native AD DS domain?

    You know you're an engineer when you have no life and can prove it mathematically

     
  • Friday, July 06, 2012 7:44 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi Stephan,

    It is by design.

    The Domain Computers group contains all member servers and workstations in a domain.

    The Domain Controllers group contains all domain controllers in a domain.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.