New Domain Controller Cannot Enroll for KerberosAuthentication Certificate

5

I have an AD domain. 2003 FFL/DFL. The schema was upgraded to version 56 for Server 2012. The domain contains a mix of domain controllers from Server 2003, Server 2008, Server 2008 R2, and now Server 2012.

I have an Enterprise Issuing Certificate Authority running 2008 R2.

On the Server 2012 domain controllers, they are unable to enroll or autoenroll for their KerberosAuthentication certificates. Error event IDs 6 and 13 in the Application log:

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Certificate enrollment for Local system failed to enroll for a KerberosAuthentication certificate with request ID 5512 from ECA.domain.com\Company Issuing CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

Seeing that "RPC server is unavailable" instinctively makes one jump to the conclusion that there are network connectivity issues. But it's not that.

  • I've used portqry.exe to verify that the endpoint mapper and all high-numbered ports are indeed available from the DC to the ECA.
  • The 2012 domain controller did successfully autoenroll for two other types of certificates. It's just this one certificate that's the problem.
  • I see the request on the ECA and it failed and has the same reason for failure as the client.

So it's obviously got network comms. There's something about this particular certificate. No other domain controllers have problems with this certificate. Only the 2012 DCs.

active-directory
windows
ad-certificate-services
asked on Server Fault Feb 14, 2014 by Ryan Ries

1 Answer

1

The 1722 error can be erroneous and misleading in certificate services. Have you tried this?

https://sites.google.com/site/sergioceokb/microsoft/microsoft-errors

answered on Server Fault Feb 14, 2014 by Ryan Newington

User contributions licensed under CC BY-SA 3.0