2008 R2 CA not using static DCOM port as configured
Hello, I am currently trying to configure the Certificate Services DCOM port to use a static port number (Windows 2008 R2). It does not work for either port number. I used the dcomcnfg (Component Services snap-in) to change the CertSrv Request bindings to a static Connection oriented TCP with port of 7680, 5001, 3800, 49300 and 50001 without success. After restarting CERTSVC, it still uses a dynamically assigned random port. Restarting the whole computer didn't yild anything as well. the AppID is actually showing the Endpoints value as well as the CERTSRV.EXE mapping to its AppId is correct. What could be wrong with this setup? thank you ondrej.
September 21st, 2010 6:00am

a couple of possibilities 1) Have you configured Administrators as owner of the {D99E6E74-FC88-11D0-B498-00A0C90312F3} registry key 2) When you configure the static port, you must configure DCOM to use a static endpoing and then designate your port 3) Did you disable RPC for iCertRequests (certutil -setreg ca\interfaceflags +0x8) and restart certificate services Brian
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2010 7:52am

yes, thank you, the Administrators are owners actually. But why would I disable the RPC interface, I don't understand exactly. And how do I configure the DCOM as whole??? to use static endpoints if this is what you ment? thank you very much. ondrej.
September 21st, 2010 3:26pm

so I am back with some details: a) both the registry keys {D99E... and AppId/certsrv are owned by Administrators group and the groups also has Full Control to the keys as well. no effect b) the Endpoints value does not work regardless the way it has been configured - either by DCOMCNFG or directly modifying the registry c) the only thing I was able to configure is the global DCOM setting to restrict the dynamically assigned ports to the "internet" range. Then the CERTSVC service (CERTSRV process) is assigned some dynamic port from that configured port range. But still only one (random) of them, not the single port specified for that service itself. anybody was able to make it use the static port on R2? ondrej.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2010 5:01pm

d) and yet the mentioned "certutil interfaceflags" just turns off the DCOM interface at all as I expected. So this is not the thing I would need :-) ondrej.
September 21st, 2010 5:07pm

Hi, In order to force the CertSvc service to use a static DCOM port, we must do two things: 1. Configure the CertSvc service to listen on a static DCOM port 2. Disable the RPC Interface on the machine running CertSvc Please refer to the detail steps below: 1. Configure a Static DCOM Port To configure static DCOM, perform the following steps. 1) Log on with an account that has local administrator permission on the enterprise issuing CA, 2. Open the Component Services MMC Snap-In (dcomcnfg.exe). 3) In the left pane of the Component Services MMC Snap-In, expand Component Services, Computers, My Computer, and then DCOM Config. 4) In the right pane, select CertSrv Request. 5) On the Action menu, click Properties. 6) On the Endpoints tab, click Add. 7) Select Use static endpoint, enter an unused TCP port number, for example, 4000, and then click OK twice. 8) Close the MMC Snap-In. 9) Restart the certification authority service. 2. Disable the RPC Interface To disable the RPC interface, perform the following steps. 1) At the command-line prompt, run the following command: certutil -setreg ca\interfaceflags +0x8 2) The command output lists the flags that are enabled. Verify that IF_NORPCICERTREQUEST is part of the InterfaceFlags in the command output list. 3) Restart the certification authority service. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2010 10:16pm

thanks, I am going to give it another try.
September 24th, 2010 5:48am

ok, it works. just a note for other implementers - the port is opened as listening only after the first call to the CA comes from a client - until that point, you will not see the port listening in NETSTAT or other tools. ondrej.
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2010 8:13am

Added to the TechNet Wiki: How to set a static DCOM for for ADCS http://social.technet.microsoft.com/wiki/contents/articles/how-to-set-a-static-dcom-port-for-ad-cs.aspx Please update as needed to ensure that it is technically accurate. Thanks!
October 5th, 2010 3:46pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics