I am admittedly not very strong with Active Directory Certificate Services. I have 4 domain controllers and only having certificate enrollment issues with one of them. The other 3 enroll just fine.
I have certificate services installed on a Server 2008 R2 Domain Controller. The forest and domain are at 2008 R2 functionality levels.The domain controller having trouble also holds the RID, PDC, and IM.I have verified the proper groups in Certificate Service DCOM Access.
I get event ID 6 and 13 every day at 6:10 AM and 2:10 PM on the problematic DC.
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
I also see event 1400 in the AD Web Services LogActive Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.
Certificate name: problemDC.domain.local
I am in need of help on this. Thank you in advance.
This error typically occurs when the certification authority is not available on the network or the service is stopped. Please follow the steps below to troubleshoot it:
1. In Certificate Template snap-in, right click the certificate template "Domain Controller Authentication" and ensure that Domain Controllers and ENTERPRISE DOMAIN CONTROLLERS groups has the Enroll and Autoenroll permissions, Authenticated Users has Read permission.
2. Verify that Authenticated Users is member of the Certificate Service DCOM Access group.
3. Ensure that there is no firewall blocking the connection.
Meanwhile, here are some articles which might be helpful for you:
I also see event 1400 in the AD Web Services Log
>> Please refer the following thread to troubleshoot this issue:
Hope this helps!
TechNet Community Support
- 已编辑 Elytis ChengModerator 2012年5月2日 3:36
I have verified that the template has the correct security permissions. DNS works fine the service is started and everything is reachable on the network. I can see that my CA has issued "DomainController" certificates to the 3 other DC's but not the one. I have tested and verified the certutil ping command to verify that service is listening properly on my CA. There are no firewalls in between this DC and the CA to block traffic. The problem server is a very plain build.
So i have to ask the following questions:
- Why would I be having trouble with just this one DC? It is Server 2008 R2 like all the others. Only difference is that it holds some FSMO roles.
- Is it correct that the other DC's were issued the Domain Controller Cert and not the Domain Controller Authentication?
- Should I try to manually request a certificate? If so should i use the Domain Controller or Domain Controller Authentication template?
Basic steps are as follows:
- 已标记为答案 rpcsys 2012年5月14日 15:09