Web references:
Symptoms:
Trying to enroll a webserver cert (or a computer cert or user cert) gets the error The RPC server is unavailable. This CA has also issued certs in the past for computers and webservers.
certutil -ping -config server.domain.com\domain-server-ca
Connecting to server.domain.com\domain-server-ca
…
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.
The same command from a command prompt on the same computer run as domain admin:
Server “domain-server-CA” ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.
Solution:
Please ensure that “Authenticated Users” group is in the “Certificate Service DCOM Access” group.
Please verify that the Builtin\Users group includes the following member groups:
Authenticated Users
Domain Users
INTERACTIVE
Check the DCOM Access Limit of “My Computer” on the server encountering the issue:
1) On the server, run dcomcnfg.exe.
2) On the Component Services console, navigate to Component Services\Computers\My Computer.
3) Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab.
4) Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions.
5) Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions.
6) Click OK.
