question

AnxoAlonso-4974 avatar image
0 Votes"
AnxoAlonso-4974 asked PetrSlva-4550 edited

The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

Hello.
I want to request a certificate on a standalone certification authority, and I have the next issue:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
I did these tasks, but the problem follows:

  •  Disable the firewall on the CA (OK)

  •  Get-WmiObject Win32_ComputerSystem –ComputerName (OK)

  •  netstat -ano | find "135" (OK)

  •  sc query Winmgmt and sc query rpcss (OK)

  •  service Remote Procedure Call (RPC) is running (OK)

  •  Test-NetConnection IP -port 135 (OK)

  •  Test-NetConnection IP -port 49703 (WARNING: TCP connect to (IP : 49703) failed)

  •  Event Viewer: Security (The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3} and APPID {D99E6E74-FC88-11D0-B498-00A0C90312F3} to the user SID (S-1-5-21-2052401950-75243191-622671684-9855) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.)

  •  Add Domain Users, Domain Controllers, Domain Computers groups to Certificate Service DCOM Access

  •  Update the DCOM security settings on the server with the CA role (certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG / net stop certsvc & net start certsvc)

  •  Nltest /Server:dc01 /query (OK)

    •  Certutil -ping (OK)

Thank so much.

windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

LimitlessTechnology-0326 avatar image
0 Votes"
LimitlessTechnology-0326 answered

Hello @AnxoAlonso-4974

The CA tries to contact the requesting DC on ports 445 and 139, please check also the port availability in your firewall (or disable altogether for testing purposes)

Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnxoAlonso-4974 avatar image
0 Votes"
AnxoAlonso-4974 answered

Hi.
I solved the problem following this advice:
This behavior can occur if the registration for the Distributed Component Object Model (DCOM) interface in either of the following registry locations contains both RunAs and LocalService entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E74-FC88-11D0-B498-00A0C90312F3}
or
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E73-FC88-11D0-B498-00A0C90312F3}
When this occurs, the Certification Authority service does not start because it does not expect both values to be set.

To resolve this issue, remove the RunAs entries under both of the following registry locations
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E74-FC88-11D0-B498-00A0C90312F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E73-FC88-11D0-B498-00A0C90312F3}
Make sure that the LocalService entry exists under the following registry locations with a data value of CertSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E74-FC88-11D0-B498-00A0C90312F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppId\ {D99E6E73-FC88-11D0-B498-00A0C90312F3}
Attention: Before modify the registry, please make sure to backup the registry and make sure that you understand how to restore the registry

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PetrSlva-4550 avatar image
0 Votes"
PetrSlva-4550 answered PetrSlva-4550 edited

Hello,

I had the same problem - domain controller`s certificates expired, auto enroll didn`t work and manual too... there were two errors in event log... (two dc`s, certificate expired on both, Enterprise CA on separate server). Tried checking registry, firewall, many restarts all servers etc, nothing worked...
188392-image.png
188357-image.png
188358-image.png


for me the solution was reinstalling CA role on the server: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/uninstall-reinstall-ca-role




image.png (25.8 KiB)
image.png (33.6 KiB)
image.png (28.2 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.