I am seeking help for a curious problem we have in our German office. I have previously posted this issue in the Security TechNet forums and was advised to post here. Apologies for long post.
This problem was noticed about a month ago shortly after this branch decommissioned their windows 2003 domain controllers.
All new rolled out machines fail to enrol a client certificate. The error is:
Certificate enrolment for Local system failed in authentication to enrolment serverFQN of our Root CA\Name of Enterprise Root CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722))
I have also seen on one of the problem machines.
Certificate enrolment for Local system could not enrol for a Workstation certificate. A valid certification authority cannot be found to issue this template.
Only our Germany branch is experiencing this problem every other branch Auto enrolment works fine using the same SCCM rollout method.
Strangely if the machine is joined to a workgroup then re-joined to the domain it enrols a Machine certificate on reboot as it should.
The machines are joined to the domain during the rollout process (we use SCCM 2007). Inspection of the Setupact.log form the panther directory on the client machines show there isn’t any issue joining the domain and the clients always appear in the correct
OU specified by the build process.
The same SCCM build is used by for other countries on the same domain and those machines enrol certificates without issue.
Below is a list of what I have already tested.
I run certutil diagnosis from a problem machine (using the local computer account) I get.
C:\Windows\system32>certutil -ping -config FQN of our Root CA\Name of Enterprise Root CA
Connecting to FQN of our Root CA\Name of Enterprise Root CA
Server " Name of Enterprise Root CA" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.
So the client machine can talk to the certificate server interface using the enrolment tool.
--------------------------------------------------------------------------------------------------------
Ran Port query tool from problem machines to our root CA on port 135 (RPC) this is a success (listening)
the certserv.exe service on our Root CA is using port 1072 this too is successfully queried using port query tool.
--------------------------------------------------------------------------------------------------------
Machine certificates are deployed via Group policy, according to GP Result the problem machines do receive this policy.
--------------------------------------------------------------------------------------------------------
DNS name resolution works both ways (from client to servers and server to client however I can resolution is fine from the event viewer).
--------------------------------------------------------------------------------------------------------
Time is correct on all the relevant machines (Root-CA, Domain Controllers and Client machines).
--------------------------------------------------------------------------------------------------------
Manually requesting the certificate via the certificates snap-in in MMC results in the same problem, the enrolment fails with the same RPC error appearing in the event log.
--------------------------------------------------------------------------------------------------------
I have checked the enrolment permissions for the Workstation certificate template on our Root CA Domain machines have Read, Enrol and Autoenroll.
-------------------------------------------------------------------------------------------------------
If I run Test-ComputerSecureChannel from one of the problem machines the result isTrue I have tried resetting the machines account using this command but it didn’t make any difference to the problem, enrollment still fails. I have also used the NLtest.exe utility which doesn't find any secure channel related problems.
------------------------------------------------------------------------------------------------------
Other factors to consider.
We have only one enterprise root CA server, its running server 2003
The 2003 r2 DC that did service is this branch were properly decommissioned.
Replication between all our domain controllers is healthy according to Replmon.
It doesn't matter which 2012 domain controller the machines uses to join the domain, the problem is the same.
The domain controllers are Windows Server 2012 in the German Branch in our other branches (that don’t have a problem use 2008 R2 and some 2003 R2 servers).
There is only one domain.
The problem occurs when rolling out windows 7 and windows 8 machines it doesn’t matter if it’s x86 or x64. As I have mentioned the same build works fine in other branches using the same SCCM server.
I’m starting to run out of ideas, can anyone make any suggestions.
What looks like a simple Firewall port communication / certificates permissions issue obviously isn’t?
I suspect that the there is something wrong when the machine account is created using theDJOIN.EXE process although I don’t have any evidence of this, it’s strange that when the
machine is rejoined to the domain (thus creating a brand new security token) the whole certificate enrollment process works fine.
I would be extremely grateful for any suggestion, input or advice. Thanks in advance.
Please see same question posted in Security forum here:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/90541aa3-3060-457b-a959-7839012c7cdc/strange-problem-with-client-machine-certificate-enrolment-the-rpc-server-is-unavailable?forum=winserversecurity