no certificate in newly created domain controller

Janus Bariñan 1,126 Reputation points
2021-07-28T03:15:46.327+00:00

Hi,

In our newly created additional domain controller there are no certificates present.
118513-image.png

And when I try to enroll say for kerberos authentication it gets an RPC error.
118478-image.png

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,072 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Hannah Xiong 6,276 Reputation points
    2021-07-28T04:48:26.353+00:00

    Hello @Janus Bariñan ,

    Thank you so much for posting here.

    As for the RPC error, the probable cause is port block or insufficient DCOM permission.

    May I know there is the same RPC error if we enroll certificate on other domain controllers? If the error only occurred on this newly created domain controller, please follow the steps to have a check:

    1.Verify that Remote Procedure Call (RPC) and Windows Management Instrumentation services are running on this DC.
    2.Please ensure that “Authenticated Users” group is in the “Certificate Service DCOM Access” group.
    118489-image.png

    3.Verify that the Builtin\Users group includes the following member groups.
    118515-image.png

    4.Run the below commands to test the port 135. If port 135 is blocked, please make it open on the domain controller.

    Test-NetConnection(alias tnc) <host name or IP address of CA server> -Port 135 (powershell command)
    telnet <host name or IP address of CA server> 135 (CMD command)

    118543-image.png

    118480-image.png

    5.Please allow RPC Dynamic Ports TCP port range from 49152 to 65535 on the DC.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Janus Bariñan 1,126 Reputation points
    2021-07-28T05:05:01.807+00:00

    Hi Hannah,

    I'll try this one out and let you know the result.

    0 comments No comments

  3. Janus Bariñan 1,126 Reputation points
    2021-07-28T05:11:30.177+00:00

    By the way, will it be okay if i just request a custom certificate request and copy the details of "kerberos authentication" and "domain controller authentication" from other DCs and send the certificate requests to the certificate admin so he can generate the certificates. Then i will install these certificates to the DC.


  4. Hannah Xiong 6,276 Reputation points
    2021-07-28T07:45:22.827+00:00

    Hi @Janus Bariñan ,

    Thank you for your reply.

    It is TCP port 135. TCP 135 port should be open on the CA server and this domain controller.

    118518-image.png

    Reference: https://learn.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.