certutil -TCAInfo error message RegConnectRegistry/RegOpenKeyEx: The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)

Recently we noticed the following errors were occurring daily in our Event Logs for servers in our DMZ:

CertificateServicesClient-CertEnroll EventID 82
Certificate enrollment for Local system failed in authentication to all urls for enrollment
server associated with policy id: {00B9F3A7-...-50628BC5AE7E} (The RPC server is
unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for
template: Machine

CertificateServicesClient-CertEnroll EventID 13
Certificate enrollment for Local system failed to enroll for a Machine certificate with 
request ID N/A from NY-CA01.company.com\Company Internal Root CA (d0 7a ... f3 e4 70).

CertificateServicesClient-AutoEnrollment EventID 6
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is
unavailable.

I suspect it is a firewall issue, and tried to use the certutil.exe tool to verify connectivity to the certificate authorities, but when running the -TCAInfo command I received the following error message:

PS C:\windows\system32> certutil -tcainfo
================================================================
CA Name: Company Internal Root CA

Machine Name: NY-CA01.Company.com

DS Location: CN=Company Internal Root CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Company,DC=com

Cert DN: CN=CompanyInternal Root CA, DC=Company, DC=com
RegConnectRegistry/RegOpenKeyEx: The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)

CA Registry Validity Period: ? ???
 NotAfter: 10/11/2031 7:05 PM

Connecting to NY-CA01.Company.com\Company Internal Root CA ...
Server "Company Internal Root CA" ICertRequest2 interface is alive (47ms)
...
================================================================
NY-CA01.Company.com\Company Internal Root CA:
  Enterprise Root CA
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800
b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
  Online

It appears to think that the CA is Online and alive, but there is an The network path was not found. error and the CA Registry Validity Period: ? ??? is unknown.

I confirmed that https://ny-ca01.company.com/certsrv/ is accessible from the DMZ servers, so what other ports are needed for renewing certificates?

I found this article which indicates the 53 ERROR_BAD_NETPATH error message might have something do do with the Remote Registry service. I verified that the service is running (no errors from non DMZ servers), but inside the DMZ calls to Net Use \\RemoteMachine\Admin$ were failing with the same "Network Path was not found" error.

Checking our Fortinet firewall rules, we already allowed HTTPS on port 443, and DCE-RPC on ports 135, but we did not allow SMB for CIFS/SAMBA access on port 445.

After adding rule for SMB access from DMZ to our CA servers, the above errors no longer occur when running certutil -TCAInfo