RPC errors can be ugly and are often not that easy to identify. In the last months I had two Windows PKI Installations where I ran into the error 1722 RPC server not available. In both cases the Windows CA was up and running but I could not enroll or autoenroll certificates. So I check the firewall rules, the CA server time and date and I used certutil.exe -ping CAhostname to verify RPC network communication.
I ran certutil -ping one time with the netbios name of the CA and all worked. That's why no one had an issued with the machine before for file transfer or a ping with the netbios name.
C:\system\>certutil -ping win5011
Connecting to win5011 ...
Server "AAA Frontoso R3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.
But the certutil -ping for the full qualified hostname failed.
C:\system\adhc>certutil -ping win5011.frontoso.com
Connecting to win5011.frontoso.com ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.
So it turned out that in both cases the client used a non-MS DNS server for the Active Directory environment and the FQDN name of the CA server was incorrectly configured there. After adjusting the IP address in DNS certutil -ping with the FQDN name worked and the certificate enrollment as well.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment