Windows Server - Domain certificate error

Asked By jithurbid

29-Jan-10 08:21 AM

Hello,

I have installed a entreprise CA on my new domain. I see that all my
DC recieved a Domain Controler certificate except one.

If I check the log I can see two event :

First : Eventid 6 :

Automatic certificate enrollment for local system failed (0x800706ba)
The RPC server is unavailable.

Second : EventID 13 :

Certificate enrollment for Local system failed to enroll for a
DomainController certificate with request ID N/A from
DCSHDCT02.mydomaint.local\mydomain-DCSHDCT02-CA (The RPC server is
unavailable. 0x800706ba (WIN32: 1722)).

The message seems to be clear, but if i try to do a telnet one
DCSHDCT02 I can see a connection! Then, I can say the RPC server is on
and working well.

Can anybody help me?

29-Jan-10 10:19 AM

it is more than just telnet. The RPC server is unavailable message simply
means it either cannot fully communicate with the necessary ports to the
server, DNS cannot resolve all necessary records (SRV and "A" records), or
the server is completely down. Since you can telnet, then it is indicating
the server is up but there are possibly some firewall ports blocked. Within
a private infrastructure, it is assumed that all ports are allowed and
opened between all servers and workstations.

I remember you said you 'changed your firewall strategy' in another thread
regarding your Sites issues. What exactly is your new strategy?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

30-Jan-10 06:43 PM

Hi
To test do a SMB connection: "\\CAName.yourdomain.tld" from that DC. IF it
asks for authentication credentials, you may have a FW issue, name
resolution problems (from CA side or DC side). A workaround for this may be
to cache the credentials on DC side (using the option save the credentials
when you are doing the SMB connection).

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

01-Feb-10 07:08 AM

Hello,



Ok fist I have block all trafics execpt for AD port. But, I discover that
with winsows 2008 r2 Ad need to have a range of port open. Then I open IP
communication between all DC! Then, I can say that it is not a problem with
my firewall!

Julien

01-Feb-10 07:12 AM

Hello,

You say :


What is the CAName ? My computer name ? like dcshdct02 ? or the name I can
see on the Certification authority MMC?

I can browse the CA with the comupter name \\dcshdct02 but not the name I
see on the CA MMC.

Julien

01-Feb-10 11:21 AM

There are numerous ports that AD needs, as you know. Usually we just open it
up wide open and let it have everything, otherwise if you try to make port
exceptions in a firewall, it turns it into Swiss cheese anyway.

Can you post exactly what ports you opened up? Also, if you followed an
article on what ports to open, can you post the article you followed?

Ace

01-Feb-10 11:23 AM

The CAName is the computer name of your CA (Certificate Authority) server.

Is dcshdct02 the name of the CA? If so, what do you mean by cannot browse by
the name in the CA MMC console? what name is that?

Ace

02-Feb-10 03:59 AM

Hello,

First I have open the port TCP/UDP:

1025
1030
123
135
139
3268
389
445
49155
49159
88
53
750

But now, I have open all TCP/UDP trafic !!!!!

02-Feb-10 04:02 AM

Hello,

In fact, the computer name is dcshdct02, but if I open the certification
authority MMC, the name of the server is : mydomain-DCSHDCT02-CA.

02-Feb-10 12:05 PM

That's good you opened all traffic. There are more ports that are required
than you posted. That was why you got the errors. You were missing the
Service ports.

For more information on ports required, please read the following to
understand better what ports AD requires. it is not as simple as the ports
you mentioned. That was why I was saying it is easier just to allow ALL
ports, for after all, if it is an internal private network, you are safe
anyway.

Paul Bergson's Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html

Restricting Active Directory replication traffic and client RPC
...Restricting Active Directory replication traffic and client RPC traffic
to a ... unique port, and you restart the Netlogon service on the domain
controller. ...
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port - How to
restrict FRS replication traffic to a specific static port ... Windows
2000-based domain controllers and servers use FRS to replicate system policy
...
http://support.microsoft.com/kb/319553

Network Ports Used by Key Microsoft Server Products - You can also restrict
the range of ports that RPC dynamically assigns to a small range, .....
Windows domain controllers use the SMTP service for intersite ...
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx

Ace

02-Feb-10 12:06 PM

That appears to be the CA name you gave it, not the computer name.

Ace

02-Feb-10 04:50 PM

Hi
Yes, test the connection using \\dcshdct02


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

08-Feb-10 05:33 AM

Hello,

I can do a SMB connection but I do not have the certificate.

Can any body help me to resolve this issue?

Julien

08-Feb-10 11:53 AM

Can you connect to the CA using a browser? If you can, you can request a
cert.

https://dcshdct02
or
http://dcshdct02

Also, you said that you have opened the firewall up wide open, correct? That
should have alleviated the RPC errors. However, if it did not resolve the
errors, then something else is going on. It could be using the wrong DNS,
multihomed DC (more than one NIC and/or RRAS is installed on a DC) which
will cause these problems, too, due to incorrect DNS lookups, which will
stop GPOs from applying, among other things.

Can you post an ipconfig /all from the DC, as well as any EventID# errors
(App, System, FRS, Dir Service logs)?

Ace

09-Feb-10 04:02 PM

Is the CA service started?
Did you test SMB from that DC?
IS that DC passing through ISA? IF yes, can you disable the RPC filter for
that rule and test again? You may need to reboot the DC twice until that
error goes away.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

10-Feb-10 02:51 AM

Hello,


This is my ipconfig :

----------------------------------------------------------------------------------------------

ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DCITDCT01
Primary Dns Suffix  . . . . . . . : mydomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.local

Ethernet adDCter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
Physical Address. . . . . . . . . : 00-0C-29-72-A4-A4
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.11.14(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.11.254
DNS Servers . . . . . . . . . . . : 192.168.11.14
192.168.30.2
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adDCter isatDC.{6DE906DB-E4F6-45A1-A6D3-A5B10F2663BA}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Microsoft ISATDC AdDCter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adDCter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

-------------------------------------------------------------------------------------------------------------

Here are my application log error :

-------------------------------------------------------------------------------------------------------------

Log Name:      DCplication
Source:        Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date:          10.02.2010 05:42:07
Event ID:      6
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DCITDCT01.mydomain.local
Description:
Automatic certificate enrollment for local system failed (0x800706ba) The
RPC server is unavailable.
.
Event Xml:
Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment"
Guid="{F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43}"
EventSourceName="AutoEnrollment" />

10-Feb-10 02:58 AM

Hello,


Yes, I did. I test smb connection form and to my dc.


No, we do not use ISA!


I will try this, this night, but if I remember well I already reboot it more
thant twice.


Julien

10-Feb-10 07:30 AM

Ok, do that, can you also explain these 2 DNS entries:
192.168.30.2
127.0.0.1

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

10-Feb-10 08:12 AM

ok simple 127.0.0.1 I have delete ... I do not know why is here.

192.168.30.2 is my central site and my fist DC on my domain.

I have a lot of site and this address is the ranch for my central offices.

10-Feb-10 08:39 PM

Ok,
- Did you also test SMB from the CA to the DC?
- Can you ping from both sides (DC and CA) to each other?
- Did you already reboot the DC 2?

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

11-Feb-10 05:39 AM

Yes, I do


Yes, I can


I have palnned to reboot my dc and the ca this night.

11-Feb-10 12:53 PM

Hold on...
If you are going to reboot the CA...
1St the CA, after the CA is up, do 2 reboots with a logon between them on
the DC.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

11-Feb-10 12:55 PM

Another thing, please check if you have any thyrd party FW installed on the
DC and CA. For instance, some antivirus have additional products that
provides FW capabilities.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

12-Feb-10 12:04 AM

In a multi-site scenario, I suggest, as well as the consensus, to use itself
as the first DNS entry, and the other one as the second entry, otherwise all
intial queries will be hitting the first entry across the WAN link.

Good you removed the loopback. That was put in by dcpromo.

Ace

13-Feb-10 06:36 PM

Ops, I also miss that important part about http; https access...

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

14-Feb-10 02:23 AM

I figured that would be the easiest way to tell if it is working. :-)

Ace

15-Feb-10 03:10 AM

Hello,

To answer your question, I can access to http://dcshdct02/certsrv but not
the https://dcshdct02/certsrv

I already try to request a cert but I do not see any domain cert!

I see a strange behavior. If I connect to the a dc with my administrator
login then try to connect to the url : http://dcshdct02/certsrv I see
directly the web page.

But if I try this on the dcitdct01, I need to enter my credential info! May
be it is could be the problem!

Have you any idea

15-Feb-10 03:21 AM

I do exacly what you say. But I have always the two errors :

First :

Certificate enrollment for Local system failed to enroll for a
DomainController certificate with request ID N/A from
APSHDCT02.audemarspiguet.local\audemarspiguet-APSHDCT02-CA (The RPC server
is unavailable. 0x800706ba (WIN32: 1722)).

Second :

Automatic certificate enrollment for local system failed (0x800706ba) The
RPC server is unavailable.

15-Feb-10 09:01 AM

Using the URL with the NetBIOS name while logged on as Domain Admin, you
should immediately get the page without logging on. This is the Windows
Authentication portion doing it in IIS. Now if you are getting prompted from
the other DC, then something else is going on. But if you do not see a domain
cert, and I cannot remember if that is normal or not since it should
automatically be enrolled using your GPO policy, it may be indicative of a
CA misonfiguration when you set it up.

What article or publication did you follow to set this all up?

Due to the many pieces of a CA, autoenrollment, etc, it would be quite a bit
of effort to go through what steps you took to install the CA and configure
the GPO, how you setup permissions on the template, and other specifics.
Maybe I can offer the following links. I hope they help.

Certificate Autoenrollment in Windows Server 2003Supported Hardware
(Certificate Autoenrollment in Windows Server 2003) ... Configuring Group
Policy · User Autoenrollment · Certificate Renewal ...
http://technet.microsoft.com/en-us/library/cc778954(WS.10).aspx

Install Windows Server 2003 CAHow can I install the Certificate Authority
(CA) service in Windows Server 2003? Windows Server 2003 can be used as a
Certificate Authority (also known as.
http://www.petri.co.il/install_windows_server_2003_ca.htm

Installing and Configuring Windows Server 2003 Enterprise ...Installing and
Configuring Windows Server 2003 Enterprise Certification Authority. Topic
Last Modified: 2005-05-19. The first step in setting up your lab is ...
http://technet.microsoft.com/en-us/library/aa998956(EXCHG.65).aspx

How can I enable digital certificate autoenrollment in Windows ... (Brief
overview)
Dec 5, 2005 ... A. Autoenrollment is available to Windows 2003 and Windows
XP domain ... Next you need to enable the Group Policy for the
autoenrollment. ... (You can also view Failed Requests in the Certificate
Authority MMC snap-in. ...
http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificate-autoenrollment-in-windows-server-2003.html

Alex Tcherniakhovski - Security : Certificate auto-enrollment ...Jul 3, 2007
... For the most part configuring certificate auto-enrollment is a fairly
... but require CA to be running on Windows 2003 Server Enterprise Edition.
... In the GPO where the hosts reside configure the following setting ...
http://blogs.msdn.com/alextch/archive/2007/07/03/certautoenroll.aspx

Ace

15-Feb-10 09:03 AM

I forgot to add, the RPC Unavailable error will be part of the issue. You
said you disabled the firewall and allowed all ports, correct?

As for not being able to connect by https:// (with the 's'), that means you
never created or added an SSL cert in IIS.

Ace

15-Feb-10 09:04 AM

As I mentioned earlier, RPC errors such as this means there is a
communication block or DNS lookup issue. I assume DNS has the DCs listed, so
I think tehre is a block going on elsewhere.

Ace

15-Feb-10 03:32 PM

Ok,
And if you add the " http://dcshdct02/certsrv" to the Local Intranet Web
Sites trust on dcitdct01?


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

15-Feb-10 03:34 PM

I already saw this error, but the problem was related with cached
credentials on the requester... Can you check that please?

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

15-Feb-10 07:42 PM

Good point. I forgot. :-)

Possibly run in a cmd prompt to check what credentials are stored:
Control keymgr.dll

However, I do not think it is in there. Maybe clear and restart IE?

Ace

17-Feb-10 04:16 AM

In fact, I saw my user in the Credential manager! I remove it and restart
IE.... without success! I always need to enter my credential!

To be honest, I think that when I do a dcpromo like another server something
go wrong!

I will try to depromate my dc, remove my dns server reboot it and do again a
dcpromo.

18-Feb-10 01:43 PM

You've been wrestling with this for over two weeks now. Have you possibly
considered calling Microsoft PSS for assistance to get this resolved? A
single call and they can resolve everything associated with this issue in
one ticket. Just make sure you state everything in the ticket so they all
get resolved.

Ace