The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

Question

Hello.
I want to request a certificate on a standalone certification authority, and I have the next issue:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
I did these tasks, but the problem follows:

• Disable the firewall on the CA (OK)
• Get-WmiObject Win32_ComputerSystem –ComputerName (OK)
• netstat -ano | find "135" (OK)
• sc query Winmgmt and sc query rpcss (OK)
• service Remote Procedure Call (RPC) is running (OK)
• Test-NetConnection IP -port 135 (OK)
• Test-NetConnection IP -port 49703 (WARNING: TCP connect to (IP : 49703) failed)
• Event Viewer: Security (The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3} and APPID {D99E6E74-FC88-11D0-B498-00A0C90312F3} to the user SID (S-1-5-21-2052401950-75243191-622671684-9855) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.)
• Add Domain Users, Domain Controllers, Domain Computers groups to Certificate Service DCOM Access
• Update the DCOM security settings on the server with the CA role (certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG / net stop certsvc & net start certsvc)
• Nltest /Server:dc01 /query (OK)
• Certutil -ping (OK)

Thank so much.

Answer 1

Hello @Anxo Alonso

The CA tries to contact the requesting DC on ports 445 and 139, please check also the port availability in your firewall (or disable altogether for testing purposes)

Hope this helps with your query,

--
--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hi.
I solved the problem following this advice:
This behavior can occur if the registration for the Distributed Component Object Model (DCOM) interface in either of the following registry locations contains both RunAs and LocalService entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E74-FC88-11D0-B498-00A0C90312F3}
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E73-FC88-11D0-B498-00A0C90312F3}
When this occurs, the Certification Authority service does not start because it does not expect both values to be set.

To resolve this issue, remove the RunAs entries under both of the following registry locations
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E74-FC88-11D0-B498-00A0C90312F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E73-FC88-11D0-B498-00A0C90312F3}
Make sure that the LocalService entry exists under the following registry locations with a data value of CertSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E74-FC88-11D0-B498-00A0C90312F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E73-FC88-11D0-B498-00A0C90312F3}
Attention: Before modify the registry, please make sure to backup the registry and make sure that you understand how to restore the registry

Answer 3

Hello,

I had the same problem - domain controllers certificates expired, auto enroll didnt work and manual too... there were two errors in event log... (two dc`s, certificate expired on both, Enterprise CA on separate server). Tried checking registry, firewall, many restarts all servers etc, nothing worked...

for me the solution was reinstalling CA role on the server: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/uninstall-reinstall-ca-role

Answer 4

Check opened Dynamic ports range (tcp/1025-65535) from CA to DC.

Answer 5

just looking to see if anyone can help with a similar issue when adding the role and selecting the cert from DC01 we have 2 others and this just happens to the the last one we are trying to get working. it won't allow any users to be signed into the domain but the laptops or devices have no problems. added the CD CS to this server when adding the role we constantly get the following error. I've looked high and low and ended up here looking for some help.

Thanks.