Certificate enrollment for Local system failed to enroll 0x800706ba (1722 RPC_S_SERVER_UNAVAILABLE)

Fabian 261 Reputation points
2021-09-17T17:21:35.253+00:00

Hi,

On a one system (rodc1.domain.local) I get the following error when I try to enroll a certificate:

Event 13: Certificate enrollment for Local system failed to enroll for a DomainControllerCert certificate with request ID 757 from srv1.domain.local\CA1 (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

Event 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

This error message is pretty generic and I've already checked the most common answers on the internet, and all other posts in MS Q&A so I need some deeper analysis inputs.

I can already provide the following information:

  • Same error by autoenroll, or manuel request over lmcert.msc
  • The system on which the server occurs is a RODC - just one rodc (don't know if it matters).
  • portqry -n srv1 -e 135 is successful
  • certutil shows the correct CA Config
  • certutil -ping -config "srv1\CA" is successful
  • Other writable Domain Controllers and clients can successfully enroll
  • Upon manually requesting the certificate using lmcert, the certificate is visible without warnings
  • ERODC groups has enroll, autoenroll permission on the template
  • No blocks on network and windows firewall
  • In tcpview on RODC and CA, I see an established rpc connection if I request a Certificate
  • CA local group Certificate Services DCOM Access contains Authenticated Users
  • SrvOld is a old CA in the same domain but with a diffrent CA-Name and does not hold the DomainControllerCert-Template

This is the enroll debug log of the RODC:

2016.403.0:<2021/9/17, 18:09:20>: 0x2280000 (36175872): CN=CA1,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local
2026.1472.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): srvOld.domain.local
2016.403.0:<2021/9/17, 18:09:20>: 0x2280000 (36175872): CN=CA1,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain.DC=local
2026.1472.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): srv1.domain.local
437.633.0:<2021/9/17, 18:09:20>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): LDAPFlags
437.633.0:<2021/9/17, 18:09:20>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): Active
2026.2013.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY): srvOld.domain.local
2026.2013.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY): srv1.domain.local
2027.7802.0:<2021/9/17, 18:09:20>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
2032.3116.0:<2021/9/17, 18:09:20>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE): DirectoryEmailReplication
2027.7802.0:<2021/9/17, 18:09:20>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
2032.3116.0:<2021/9/17, 18:09:20>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE): DomainControllerAuthentication
2027.7802.0:<2021/9/17, 18:09:20>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
2032.3116.0:<2021/9/17, 18:09:20>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE): KerberosAuthentication
419.5431.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0)
2026.1010.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): srv1.domain.local\CA1
2027.3410.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): CA1
2027.3419.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0)
2027.8410.0:<2021/9/17, 18:09:20>: 0x80004003 (-2147467261 E_POINTER)
2009.6188.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2014.5381.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2009.5605.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2009.1788.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2009.3505.0:<2021/9/17, 18:09:20>: 0xc (WIN32: 12 ERROR_INVALID_ACCESS): Microsoft RSA SChannel Cryptographic Provider
2009.3506.0:<2021/9/17, 18:09:20>: 0x68 (WIN32/HTTP: 104 ERROR_INVALID_AT_INTERRUPT_TIME): te-DomainControllerCert-301f7c70-e716-4329-87d6-1836d12f6102
2040.1379.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): te-DomainControllerCert-301f7c70-e716-4329-87d6-1836d12f6102
2016.403.0:<2021/9/17, 18:09:20>: 0x2280000 (36175872):
2004.1422.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): sha1RSA
2004.1432.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): SHA1
2014.2136.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2015.1302.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2009.6686.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0)
2015.3461.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2015.1383.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2007.1799.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2015.2984.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2015.2990.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0): SHA1
2014.5218.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2013.4665.0:<2021/9/17, 18:09:20>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
2027.2976.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): Denied by Policy Module The request ID is 756.
2027.253.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): srv1.domain.local\CA1
2027.259.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): Denied by Policy Module
2027.271.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
2009.3505.0:<2021/9/17, 18:09:46>: 0xc (WIN32: 12 ERROR_INVALID_ACCESS): Microsoft RSA SChannel Cryptographic Provider
2009.3506.0:<2021/9/17, 18:09:46>: 0x70 (WIN32/HTTP: 112 ERROR_DISK_FULL): te-DomainControllerCert-301f7c70-e716-4329-87d6-1836d12f6102
2027.7767.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
2032.3511.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
2032.3668.0:<2021/9/17, 18:09:46>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY)
450.198.0:<2021/9/17, 18:09:46>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): Error
450.199.0:<2021/9/17, 18:09:46>: 0xc25a000d (-1034289139)
450.202.0:<2021/9/17, 18:09:46>: 0x0 (WIN32: 0): Local system
450.202.0:<2021/9/17, 18:09:46>: 0x1 (WIN32: 1 ERROR_INVALID_FUNCTION): DomainControllerCert
450.202.0:<2021/9/17, 18:09:46>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): srv1.domain.local\CA1
450.202.0:<2021/9/17, 18:09:46>: 0x3 (WIN32: 3 ERROR_PATH_NOT_FOUND): 756
450.202.0:<2021/9/17, 18:09:46>: 0x4 (WIN32: 4 ERROR_TOO_MANY_OPEN_FILES): The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

This is the certsrv debug log:

CertPol: Request cert type: DomainControllerCert(v100.6/v100.8)
419.5589.0:<2021/9/17, 18:09:20>: 0x0 (WIN32: 0)
1005.2886.0:<2021/9/17, 18:09:21>: 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY): userPrincipalName
806.433.0:<2021/9/17, 18:09:46>: 0xc0020017 (-1073610729 RPC_NT_SERVER_UNAVAILABLE)
806.435.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): rodc1.domain.local
1006.3650.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
1006.2604.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
1005.1737.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
1004.6406.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
1004.6538.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): RequestId=756
508.5601.0:<2021/9/17, 18:09:46>: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE): RequestId=756

Thanks for any help, fabian

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,205 questions
0 comments
Accepted answer
  1. Fabian 261 Reputation points
    2021-11-18T10:16:38.67+00:00

    During troubleshooting I tried to enroll a normal computer certificate to the RODC using AutoEnrollement. This was successful. Based on the knowledge that the problem must be template related, I found this article.
    https://serverfault.com/questions/1005993/error-enrolling-kerberos-authentication-certificate-in-a-sparse-network

    According to it, the Kerberos Authentication Template (and only this one) needs an outgoing network connection over tcp#445 and 139 from the CA to the RODC for dns name validation. For all other templates an incoming communication is sufficient. So I changed the network firewall rules and everything works fine.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,391 Reputation points
    2021-09-20T07:26:17.823+00:00

    Hi Fabian,

    Thank you for your question.

    I recommend that you access the topic below, as it has a problem similar to yours currently:

    https://social.technet.microsoft.com/Forums/exchange/en-US/67492ab1-fa7d-48fd-9d88-e46b1fca61cc/certificate-enrollment-for-local-system-failed-to-enroll-the-rpc- server-is-unavailable-0x800706ba?forum=winserversecurity

    If the answer was helpful, please don't forget to vote positively or accept as an answer, thank you.

  2. behrooz amiri 1 Reputation point
    2021-11-18T08:14:52.51+00:00

    @Fabian did you managed to fix the issue?
    I've got the same issue, and it's happening for all the Domain Controllers.