I have an AD domain. 2003 FFL/DFL. The schema was upgraded to version 56 for Server 2012. The domain contains a mix of domain controllers from Server 2003, Server 2008, Server 2008 R2, and now Server 2012.
I have an Enterprise Issuing Certificate Authority running 2008 R2.
On the Server 2012 domain controllers, they are unable to enroll or autoenroll for their KerberosAuthentication certificates. Error event IDs 6 and 13 in the Application log:
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
Certificate enrollment for Local system failed to enroll for a KerberosAuthentication certificate with request ID 5512 from ECA.domain.com\Company Issuing CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Seeing that "RPC server is unavailable" instinctively makes one jump to the conclusion that there are network connectivity issues. But it's not that.
So it's obviously got network comms. There's something about this particular certificate. No other domain controllers have problems with this certificate. Only the 2012 DCs.
The 1722 error can be erroneous and misleading in certificate services. Have you tried this?
User contributions licensed under CC BY-SA 3.0