I've been trying to renew the certificates for my two domain controllers, but both have all three certs expired. I've been at it for almost two days! I attempted to set up group policy to auto-renew the certs, but it didn't change anything. I also tried to manually ask for renewal, and I keep getting an error saying, 'The requested certificate template is not supported by this CA' as well as some issues with the certification authority itself. I tried generating a fresh cert using my CA but got an error stating, 'An error occurred while enrolling for a certificate. The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable.' I've checked RPC and DCOM and everything seems fine. I could really use some help with this!
5 Answers
Have you checked if the root certificate is valid? It also needs to be properly distributed within the domain. Ensuring that the URI is working and DNS resolvable is key. If everything checks out with the CA features, you should be able to proceed without issue.
It sounds like you're stuck with a problematic template issue. You should avoid using the default DC certificate templates since they can cause issues. Instead, duplicate the Domain Controller Authentication template, make sure to add KDC authentication to it, and configure the subject name to include the DNS name. Also, ensure the new template has permissions for ENTERPRISE DOMAIN CONTROLLERS to enroll and auto-enroll.
As for the RPC errors, be cautious about any firewalls that might block RPC traffic. If there's a firewall, you need to ensure that the high ports used by RPC (TCP 49152-65535) are open in addition to port 135. If there aren’t any firewalls, you might need to look further into the CA's health by checking for errors in pkiview.msc or reviewing failed requests in the logs.
Another option to consider is using Let's Encrypt instead of dealing with the domain cert issues if that fits your setup. It’s worth exploring if you just need to get back up and running.
To test if RPC is blocked, try using the computer management MMC to connect to the issuing CA. If that works, then your template might not have the right permissions for the DC to enroll. You might need to create or clone a new cert template, ensuring the enterprise domain controllers can read and enroll. When setting it up, don’t forget to manage the permissions correctly!
What’s your operating system version? It might be worth reaching out to Microsoft support for more direct assistance if all this troubleshooting doesn’t yield results!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures