Troubleshooting Certificate Services auto-enrollment

Symptom

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Description: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

00001

Event ID 13

Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Description: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from {hostname}\{name of CA}(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

00002

Solution

Note: The pertinent information in the Event ID 13 above is 0x800706ba there are Other causes of this Event ID make sure yours is the same.

In my case I had an Exchange server that was using a certificate that had been “self signed”. And the Root CA that signed the certificate had been ungracefully removed from the domain. Take a note of the Root CA name from the Event ID error shown arrowed).

  1. Launch Active Directory Sites and Services” > Select the top level object > View > Show Services Node. 00003
  2. Expand Services > Public Key Services > AIA > Delete the “Problem CA”. 00004
  3. Then select “Enrollment Services” > Delete the “Problem CA”. 00005If you have a New CA (in this example you would have seen it in step 2), then DO NOT perform the next two steps!!!
  4. Providing you DONT have a CA now, select “Certificate Templates” and delete them all. 00006
  5. Providing you DONT have a CA now, select “Public Key Services” and delete the NTAuthCertificates item.
  6. To tidy up, (On the server logging the error) run the following command:certutil -dcinfo deleteBad
  7. Finally on the server logging the error run the following command to update the policies:gpupdate /force
References:

 

http://kb.kaminskiengineering.com/node/237http://www.petenetlive.com/KB/Article/0000473

https://rietveld-ict.nl/certificate-autoenrollment-failed-domain-controllers/

https://blogs.technet.microsoft.com/askds/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in/

Advertisements