Share via

Certificate enrollment for Local system failed. The RPC server is unavailable.

Anonymous
2023-10-25T12:40:40+00:00

We have a CA (Certificate Authority) Server and when we try to enroll a server it gives us this error.

Certificate enrollment for Local system failed to enroll for a Machine certificate with request ID N/A from ..... (The RPC Server is unavailable.

0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

I have had a consulant we tired a host of things and nothing seems to work. Any ideas? It seems like something is blocking the RPC request to the server. I have turned off the firewall, our anit virus and nothing seems to work. Its all PC's and servers that can't connect to the CA server. The CA server can enroll itself.

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-26T06:40:39+00:00

    Hello Clark Davidson1,

    Thank you for posting in Microsoft Community forum.

    Please confirm information below:

    1.Did you enroll the certificate manually and then the error occurs? If so, how did you enroll the certificate?

    2.Is your CA server also a Domain Controller?

    3.Have you made any change recently before the issue occurs?

    Also, please check or troubleshoot the issue as below:

    1.Check the “Authenticated Users” group is in the “Certificate Service DCOM Access” group in Active Directory Users and Computers, it is correct.

    2.Check the Built-in\Users group includes the following member groups: Authenticated Users, Domain Users and INTERACTIVE, it is correct.

    3.Check the DCOM Access Limit of “My Computer” of CA server.
    Image

    4.Check whether we have edited the local group policy (or domain policy) before on the CA:
    4-1 Start > Run > gpedit.msc > OK

    4-2 Expand: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

    4-3 Check the Security Setting of "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax".
    4-4 The default Security Settings is Not Defined. If the Security Settings of both is Not Defined, we do not need to do anything.
    4-5 If we have edited any one of them, and the Edit Limits button is greyed out.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2023-10-26T13:39:22+00:00

    1. Yes

    2. No it's a seperate server.

    3. I don't recall making any changes that would have effected the CA server.

    Troubleshooting

    1.Check the “Authenticated Users” group is in the “Certificate Service DCOM Access” group in Active Directory Users and Computers, it is correct. YES

    2.Check the Built-in\Users group includes the following member groups: Authenticated Users, Domain Users and INTERACTIVE, it is correct. Are you talking in Active Directory users and Computers? I only see Domain Users in there.

    1. The limits are greyed out because of a group policy that is assigned

    Do I need to do anything with the GPO and change it? Everyone has Local Launch, and local activation. Do I need to change it so that Everyone has Remote Launch, and Remote Activation?

    0 comments
  3. Anonymous
    2023-10-30T02:20:04+00:00

    Hello Clark Davidson1,

    Thank you for your reply.

    2.Check the Built-in\Users group includes the following member groups: Authenticated Users, Domain Users and INTERACTIVE, it is correct. **Are you talking in Active Directory users and Computers? I only see Domain Users in there.**A: yes, see screenshot below:

    Image

    1. The limits are greyed out because of a group policy that is assigned

    A: Did you mean the group policy I mentioned above?**Do I need to do anything with the GPO and change it? Everyone has Local Launch, and local activation. Do I need to change it so that Everyone has Remote Launch, and Remote Activation?**A: If Edit Limits button is greyed out on CA server, you should change the permissions via local group policy on CA server or domain group policy on DC, it depends on where you set it.By default, both the Security Setting of "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" and "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" is Not Defined.Here are the default launch and activation permission for everyone and Distributed COM Users and Certificate services DCOM Access. ImageImage

    Image

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments
  4. Anonymous
    2023-10-30T12:47:45+00:00

    What I found was that both the DCOM user groups on the CA Server needed permissions. It was only on the one user group and they needed to be on both groups.

    This issue is resolved now.

    Thanks for your help.

    0 comments
  5. Anonymous
    2023-10-31T00:45:26+00:00

    Hello Clark Davidson1,

    Thank you for your reply and sharing.

    I am so glad that the issue was resolved.

    If the reply is helpful. Please click "Accept Answer", thank you!

    Have a nice day!

    Best Regards,
    Daisy Zhou

    0 comments