Trouble Renewing Domain Controller Certificates with AD CA

Have you checked if the root certificate is valid? It also needs to be properly distributed within the domain. Ensuring that the URI is working and DNS resolvable is key. If everything checks out with the CA features, you should be able to proceed without issue.

It sounds like you're stuck with a problematic template issue. You should avoid using the default DC certificate templates since they can cause issues. Instead, duplicate the Domain Controller Authentication template, make sure to add KDC authentication to it, and configure the subject name to include the DNS name. Also, ensure the new template has permissions for ENTERPRISE DOMAIN CONTROLLERS to enroll and auto-enroll.

As for the RPC errors, be cautious about any firewalls that might block RPC traffic. If there's a firewall, you need to ensure that the high ports used by RPC (TCP 49152-65535) are open in addition to port 135. If there aren’t any firewalls, you might need to look further into the CA's health by checking for errors in pkiview.msc or reviewing failed requests in the logs.

Another option to consider is using Let's Encrypt instead of dealing with the domain cert issues if that fits your setup. It’s worth exploring if you just need to get back up and running.

To test if RPC is blocked, try using the computer management MMC to connect to the issuing CA. If that works, then your template might not have the right permissions for the DC to enroll. You might need to create or clone a new cert template, ensuring the enterprise domain controllers can read and enroll. When setting it up, don’t forget to manage the permissions correctly!

What’s your operating system version? It might be worth reaching out to Microsoft support for more direct assistance if all this troubleshooting doesn’t yield results!