Hi,
In our newly created additional domain controller there are no certificates present.
And when I try to enroll say for kerberos authentication it gets an RPC error.
Hi,
In our newly created additional domain controller there are no certificates present.
And when I try to enroll say for kerberos authentication it gets an RPC error.
Hello @JanusBarinan-8508,
Thank you so much for posting here.
As for the RPC error, the probable cause is port block or insufficient DCOM permission.
May I know there is the same RPC error if we enroll certificate on other domain controllers? If the error only occurred on this newly created domain controller, please follow the steps to have a check:
1.Verify that Remote Procedure Call (RPC) and Windows Management Instrumentation services are running on this DC.
2.Please ensure that “Authenticated Users” group is in the “Certificate Service DCOM Access” group.
3.Verify that the Builtin\Users group includes the following member groups.
4.Run the below commands to test the port 135. If port 135 is blocked, please make it open on the domain controller.
Test-NetConnection(alias tnc) <host name or IP address of CA server> -Port 135 (powershell command)
telnet <host name or IP address of CA server> 135 (CMD command)


5.Please allow RPC Dynamic Ports TCP port range from 49152 to 65535 on the DC.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
By the way, will it be okay if i just request a custom certificate request and copy the details of "kerberos authentication" and "domain controller authentication" from other DCs and send the certificate requests to the certificate admin so he can generate the certificates. Then i will install these certificates to the DC.
Thank you so much for your kindly reply.
So sorry that I have not experienced this request. I am not sure whether it could work since there is RPC error. But we could have a try to check whether it works.
If we created custom certificate request via MMC snap in, we could refer to the below documentation.
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/custom-certificate-request-in-windows-vista/ba-p/395498
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
I tried sending the certificate request and cert admin got this error when trying to generate the certificate.
telnet going to CA on port 135 cannot go through. I guess this is a firewall issue. By the way is port 135 tcp or udp? is it bidirectional or unidirectional?
Thank you for your reply.
It is TCP port 135. TCP 135 port should be open on the CA server and this domain controller.

For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
9 people are following this question.