Certificate enrollment for Local system failed. The RPC server is unavailable.

Hello Clark Davidson1,

Thank you for posting in Microsoft Community forum.

Please confirm information below:

1.Did you enroll the certificate manually and then the error occurs? If so, how did you enroll the certificate?

2.Is your CA server also a Domain Controller?

3.Have you made any change recently before the issue occurs?

Also, please check or troubleshoot the issue as below:

1.Check the “Authenticated Users” group is in the “Certificate Service DCOM Access” group in Active Directory Users and Computers, it is correct.

2.Check the Built-in\Users group includes the following member groups: Authenticated Users, Domain Users and INTERACTIVE, it is correct.

3.Check the DCOM Access Limit of “My Computer” of CA server.

4.Check whether we have edited the local group policy (or domain policy) before on the CA:
4-1 Start > Run > gpedit.msc > OK

4-2 Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

4-3 Check the Security Setting of "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax".
4-4 The default Security Settings is Not Defined. If the Security Settings of both is Not Defined, we do not need to do anything.
4-5 If we have edited any one of them, and the Edit Limits button is greyed out.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

1. Yes

2. No it's a seperate server.

3. I don't recall making any changes that would have effected the CA server.

Troubleshooting

1.Check the “Authenticated Users” group is in the “Certificate Service DCOM Access” group in Active Directory Users and Computers, it is correct. YES

2.Check the Built-in\Users group includes the following member groups: Authenticated Users, Domain Users and INTERACTIVE, it is correct. Are you talking in Active Directory users and Computers? I only see Domain Users in there.

3. The limits are greyed out because of a group policy that is assigned

Do I need to do anything with the GPO and change it? Everyone has Local Launch, and local activation. Do I need to change it so that Everyone has Remote Launch, and Remote Activation?

Hello Clark Davidson1,

Thank you for your reply.

2.Check the Built-in\Users group includes the following member groups: Authenticated Users, Domain Users and INTERACTIVE, it is correct. **Are you talking in Active Directory users and Computers? I only see Domain Users in there.**A: yes, see screenshot below:

3. The limits are greyed out because of a group policy that is assigned

A: Did you mean the group policy I mentioned above?**Do I need to do anything with the GPO and change it? Everyone has Local Launch, and local activation. Do I need to change it so that Everyone has Remote Launch, and Remote Activation?**A: If Edit Limits button is greyed out on CA server, you should change the permissions via local group policy on CA server or domain group policy on DC, it depends on where you set it.By default, both the Security Setting of "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" is Not Defined.Here are the default launch and activation permission for everyone and Distributed COM Users and Certificate services DCOM Access.

Best Regards,
Daisy Zhou

What I found was that both the DCOM user groups on the CA Server needed permissions. It was only on the one user group and they needed to be on both groups.

This issue is resolved now.

Thanks for your help.

Hello Clark Davidson1,

Thank you for your reply and sharing.

I am so glad that the issue was resolved.

If the reply is helpful. Please click "Accept Answer", thank you！

Have a nice day!

Best Regards,
Daisy Zhou