Share via

I cannot find my Certificate Authority!

BB 0 Reputation points
2025-04-02T16:29:03.1833333+00:00

I'm an IT admin with ~200+ users. We have a Certificate Authority that is hosted on our Domain Controller running Windows Server 2019. Last week, I was able to remote in via the snap-in (Certificates and Certificates Authority) on MMC. It currently is unreachable, running this command (certutil -config - -ping) in Powershell yields that it is not reachable: "Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (16ms)". I've tried to reach it both on the DC and remotely via MMC snap-in . When attempting nslookup, it shows the server name and the correct DNS IP address, followed by "{Domain Name} can't find {CA server}: Non-existent domain". I tried this Powershell command (Test-NetConnection {CA server name} -Port 135) and received this message: "WARNING: Name resolution of {CA server name} failed

ComputerName : {CA server name}

RemoteAddress :

InterfaceAlias :

SourceAddress :

PingSucceeded : False"

I have found nothing in the Event Viewer to indicate that it is stopped issuing certifications or that it stopped working. I'm hoping it is just coincidence but we are currently attempting to migrate our on-premise AD over to MS Entra-ID. We had a 2 test laptops that this was attempted on last week (it's being handled by an MSP). This is being done with software that has not been released yet. Also, We are in the planning stages on upgrading our Windows 10 Machines to Windows 11. We've upgraded on a few test machines but have had issues with 802.1x authentication. In an attempt to fix this, I've been trying to configure a new NPS Machine authentication method via Group Policy to use another authentication method (EAP-TLS instead of EAP-MSCHAPv2). This hasn't been set up yet and is configured for only 1 test machine. The last activity I had with this process was last week attempting to create a Certification Template (machine authentication). The Certification Template was created and is visible in the MMC, but I received an error message saying I did not have permissions. So I stopped. I was inactive for ~1 week and now today discovered that the CA server cannot be reached at all. Please advise, I am not seeing any issues with users connectivity yet but I'm assuming this will happen sooner than later. Any guidance or help would be greatly appreciated.

Thank you,

-BB

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,045 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 32,431 Reputation points Microsoft External Staff
    2025-04-03T05:49:49.72+00:00

    Hello

    Thank you for posting in Q&A forum.

    Not sure if the problem (unable to remote in via the snap-in (Certificates and Certificates Authority) on MMC) to CA on this machine is caused by the tests you mentoned.

    I checked the same information as you in my lab.

    Background:

    Domain name: a.com

    Domain Controller server name (I have only one DC in this domain): DCA

    CA Name: a-dca-ca

    The DC is also CA.

    Client machine in the domain: Win11Pro

    On one domain-joined client machine (Win11Pro) :

    certutil -config - -ping (I got the same the same error as you mentioned) User's image

    nslookup

    Untitled

    Test-NetConnection {CA server name} -Port 135

    The command is successful when I user CA server name (DCA).

    User's image

    Test-NetConnection {CA name} -Port 135

    The command is failed when I user CA name (a-dca-ca).

    User's image

    User's image

    On CA server (DCA) :

    certutil -config - -ping (the command is successful)

    User's image

    User's image

    Test-NetConnection {CA server name} -Port 135

    The command is successful when I user CA server name (DCA).

    User's image

    Test-NetConnection {CA name} -Port 135

    The command is failed when I user CA name (a-dca-ca).

    User's image

    However, I can remote to this DC (CA server) on this client machine Win11Pro via Remote desktop connection and MMC. And I can request certificate on this domain client machine Win11Pro.

    Please troubleshoot the problem as below:

    1.Please check if you can ping CA server on your current domain machine (as I mentioned above).

    ping the IP address of the CA server

    Ping the name of CA server

    Ping the domain name

    2.please check run command below using CA server name instead of CA Name.

    Test-NetConnection {CA server name} -Port 135

    3.Please check if you can remote to CA server on your current domain machine via Remote desktop connection.

    4.What error message you got when you are unable to remote in via the snap-in (Certificates and Certificates Authority) on MMC.

    5.Please check if you can run "certutil -config - -ping" successfully on CA server.

    6.Please check if you can request certificate on your current domain machine.

    Here are some suggestions you can try:

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.