Hey everyone,
I've been dealing with a frustrating situation for the past two days involving my two domain controllers. Both of them have all three certificates expired, and despite trying a few things, I'm still hitting roadblocks.
Here's what I've done so far:
- I updated Group Policies to automatically renew the certificates, but that didn't change anything.
- I manually attempted to renew the certs with both the same and new key pairs, but I received the following error: **The requested certificate template is not supported by this CA.** It seems like either a valid CA that can issue certificates isn't properly configured, or the CA itself isn't trusted.
Then, I tried generating a fresh certificate from my CA, but got another error: **An error occurred while enrolling for a certificate. The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)**.
I've already checked RPC and DCOM settings, and everything appears fine. Any ideas on how to resolve this? Thanks in advance!
3 Answers
Make sure your root certificate is valid and distributed across your domain. Also, verify that the URI is working and resolvable via DNS. Ensure that all features required for the CA are installed properly. Sometimes, these foundational elements can be overlooked and cause certificate issues.
It’s generally not a good idea to stick with default DC templates because they can cause issues. You should only use one certificate per DC. Instead, try duplicating the Domain Controller Authentication template, adding the KDC authentication EKU, and ensuring the subject name includes the DNS name. Also, make sure your new template is set to allow enrollment and auto-enrollment rights for Enterprise Domain Controllers.
As for those RPC errors you’re seeing, check if a firewall might be blocking communication between your servers and the CA. Windows has implemented extra security measures for RPC traffic which can cause problems if the necessary ports aren’t opened. If you’re using something like a FortiGate firewall, you might need to open the high range ports (49152-65535) along with TCP 135. If there's no firewall in the mix, the issue might be with the CA itself. Perhaps run pkiview.msc to see if there are any errors and check the logs for failed requests.
Try using the computer management MMC to connect to the issuing CA, as this uses RPC. It’s a simple way to see if there’s an issue with RPC blocking. If that connection works, the issue might be with permissions on the template. Consider creating a new cert template and allowing read/enrollment permissions for your Enterprise Domain Controllers. Setting auto-enroll for the new cert could also be beneficial.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures