locked
Certificate Enrollment - The RPC Server is unavailable

    Question

  • Hi, 

    I am having an issue with our Enterprise CA.

    Running Windows 2008 R2 DC's with the certserv running on a DC that is not a GC holding the FSMO roles.

    Trying to enroll a webserver cert (or a computer cert or user cert) gets the error The RPC server is unavailable. This CA has also issued certs in the past for computers and webservers. I have added a subordinate CA and that is issuing certificates from the same templates without any error. I have found however that if I run certificates snapin with a Domain admin account and request a user cert that I this is issued successfully.

    This can also be seen using the certutil tool, here is is run as a standard user:

    certutil -ping -config "server.domain.com\domain-server-ca
    Connecting to server.domain.com\domain-server-ca
     ...
    Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1
    722)

    CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
    CertUtil: The RPC server is unavailable.

    The same command from a command prompt on the same computer run as domain admin:

    Server "domain-server-CA" ICertRequest2 interface is alive
    CertUtil: -ping command completed successfully.

    So I figure its a rights issue - but not on a domain group as the subordinate CA we added is issuing certificates fine.

    I went through the sites and services security settings as laid out in http://technet.microsoft.com/en-us/library/cc774525(WS.10).aspx - the last couple of containers - NT Certificates Object and Domain Users and Computers weren't present, everything else looked fine.

    nltest /sc_verify:domain run on this DC gives the following error:
    I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    This command works fine on other machines - pointing to that very DC (the FSMO role holder).

    So something appears to be wrong with this DC - what can I do from here to investigate further?

    Cheers,
    James

     

    Thursday, March 25, 2010 4:13 AM

Answers

  • Hi,

    According to the netmon files, I believe that it is a permission-related issue. Therefore, I suggest that we do further checking on the CA server:

     

    1.     Please ensure that “Authenticated Users” group is in the “Certificate Service DCOM Access” group.

    2.     Please verify that the Builtin\Users group includes the following member groups:

    Authenticated Users
    Domain Users
    INTERACTIVE
     

    3.     Check the DCOM Access Limit of “My Computer” of the DC:

     

    1)    On the server, run dcomcnfg.exe.

    2)    On the Component Services console, navigate to Component Services\Computers\My Computer.

    3)    Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab.

    4)    Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions.

    5)    Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions.

    6)    Click OK.

     

    In addition, I would like to confirm if the subordinate CA you mentioned in your first post is installed on the DC (ADS02).

     

    Thanks.

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by James Bellaart Wednesday, March 31, 2010 11:04 PM
    Wednesday, March 31, 2010 8:20 AM

All replies

  • Hi,

     

    To better understand the issue, please help confirm the following:

     

    1.    Is it a single domain environment?

    2.    When you ran the command nltest /sc_veriy:domain, did you replace the domain with the exact domain name of your domain?

    3.    If you did change the domain parameter, please confirm if DNS is installed on the Windows 2008 R2 DC/CA computer.

    4.    Please refer to the following KB article, run nslookup on the DC/CA computer and verify that the result is correct.

    How to verify that SRV DNS records have been created for a domain controller
    http://support.microsoft.com/kb/816587

     

    Meanwhile, please collect MPSReport on both DCs:

     

    1. Download the executable file from the following URL
    http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_DirSvc.EXE

    2. Run the file on the computers.
    3. After the tool finishes gathering the information, copy the cab file from the following folder:

    C:\WINDOWS\MPSReports\DirSvc\cab

     

    4. Please upload the cab files to the following space:

     

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=d50166be-1fe3-49d4-8f10-b62c2c04a5dd

    Password: {LKsv${YUT^U
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, March 26, 2010 2:18 AM
  • Hi Joson,

    Thank you for looking at this issue.  I have downloaded and run the tool - it gave the following error, but then completed ok:

    netdom.exe - Entry Point Not Found.  The procedure entry point I_NetNameValidate could not be located in the dynamic link library NETAPI32.dll.

    There was no cab file at the location you gave, so I zipped up the log directory and uploaded that to the link you provided - 1 for each DC.  ADS01 is the DC with the CA installed and holds the FSMO roles.  ADS02 is a GC and we have installed the subsidary CA here which is handing out licences successfully.

    1 - yes it is a single domain environment.  We do have a Demo/Dev domain, but it is not part of the forest, only a 1 way non transitive trust exists between them.

    2 - yes.  This command works run from ADS02 or from a client PC on the domain, but gives error I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN when run on ADS01.

    3 - yes both DCs are running DNS

    4 - I have worked through this article and it all looks good, both via NSLOOKUP and the DNS Admin tool.  There were also some entries for a DC in one of our remotes sites which had been decommissioned still present, I have removed those.

    Thanks

    Monday, March 29, 2010 10:33 PM
  • Hi,

     

    I’ve checked the files you uploaded. The DCs are working properly and I did not find any critical error in the event viewer.

     

    Based on the current situation, I suggest checking the DCOM permission on the server encountering the issue:

     

    1.    On the server, run dcomcnfg.exe.

    2.    On the Component Services console, navigate to Component Services\Computers\My Computer\DCOM Config.

    3.    Right-click CertSrv Request, select Properties, verify that the Authentication Level is Default.

    4.    Click the Security tab, click Edit in the Launch and Activation Permission section and ensure that Everyone has Local Activation and Remote Activation permissions.

    5.    Click Edit in the Access Permission section and ensure that Everyone has Local Access and Remote Access permissions.

     

    If you have verified the DCOM configuration. Please install Netmon 3.3 on the CA server and a client computer to capture the network traffic:

     

    1.    Please install Netmon 3.3 on both computers

    Microsoft Network Monitor 3.3
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

    2.    Right-click the Netmon icon and select Run as Administrator to launch NetMon3.3 on both computers.

    1. In the Microsoft Network Monitor 3.3 window, click Create a new capture tab.
    2. In the new tab, select all the Network Adapters in the Select Networks window.

    5.    Press F10 to start NetMon.

    6.    On the client computer, run the command certutil -ping -config "server.domain.com\domain-server-ca with a standard user to reproduce the issue.

    7.    After the issue occurs, please go back to the NetMon window and press F11 to stop the NetMon on both computers.

    8.    Press Ctrl+S to save the Netmon files as Failure.cap.

    9.    Press F10 to start NetMon.

    10. On the client computer, run the command certutil -ping -config "server.domain.com\domain-server-ca with a domain admin user.

    11. After you get the successfully message, please go back to the NetMon window and press F11 to stop the NetMon on both computers.

    12. Press Ctrl+S to save the Netmon files as Success.cap.

     

    Please upload the .cap files to the space.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 30, 2010 6:20 AM
  • Hi Joson,

    I have uploaded captures of both successful and failed certutil -pings from both the client (10.51.1.160) and server(10.55.1.140).

    Thank you for looking at them,

    Cheers.

    Tuesday, March 30, 2010 10:28 PM
  • Hi,

    According to the netmon files, I believe that it is a permission-related issue. Therefore, I suggest that we do further checking on the CA server:

     

    1.     Please ensure that “Authenticated Users” group is in the “Certificate Service DCOM Access” group.

    2.     Please verify that the Builtin\Users group includes the following member groups:

    Authenticated Users
    Domain Users
    INTERACTIVE
     

    3.     Check the DCOM Access Limit of “My Computer” of the DC:

     

    1)    On the server, run dcomcnfg.exe.

    2)    On the Component Services console, navigate to Component Services\Computers\My Computer.

    3)    Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab.

    4)    Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions.

    5)    Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions.

    6)    Click OK.

     

    In addition, I would like to confirm if the subordinate CA you mentioned in your first post is installed on the DC (ADS02).

     

    Thanks.

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by James Bellaart Wednesday, March 31, 2010 11:04 PM
    Wednesday, March 31, 2010 8:20 AM
  • Hi Joson,

    The "Certificate Service DCOM Access" Group and "Builtin\Users" groups were both set up correctly.

    "Certificate Service DCOM Access" did not have any rights under the COM Security Tab for the DCOM Access of My Computer. 

    There was an unknown account / SID listed in there - could something have happened to the SID of this group to cause this issue?

    After adding these rights I am able to query the CA with certutil -ping -config... from a user account, and enroll certificates.

    Thank you for your help.

    Cheers,

    James

    Wednesday, March 31, 2010 11:03 PM
  • Hi,

    Glad to hear that the issue has been resolved.

    According to your reply, the cause of the issue is that the Certificate Service DCOM Access does not have proper rights on the server.

    Have a nice day.

    Joson Zhou
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, April 01, 2010 1:35 AM