Our CA is on our DC (Windows 2008) - and using the Certificate Snap-In, we have tried generating and it fails with The RPC Server is unavailable. The certificate request could not be submitted to the certification authority. In the Application log we are getting: Log Name: Application Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Date: 3/18/2011 3:44:47 PM Event ID: 13 Task Category: None Level: Error Keywords: Classic User: me Computer: requestingserver.domain.name Description: Certificate enrollment for Local system failed to enroll for a Computer certificate from ca_servername.domain.name/CA_Server(The RPC server is unavailable. 0x800706ba (WIN32: 1722)). Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" /> <EventID Qualifiers="49754">13</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-03-18T20:44:47.000Z" /> <EventRecordID>11748</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>requestingservername</Computer> <Security UserID="S-1-5-21-2043762751-1641313776-1237804090-15169" /> </System> <EventData> <Data Name="Context">Local system</Data> <Data Name="TemplateName">Computer</Data> <Data Name="CA">servername.domain.name\servername-CA</Data> <Data Name="ErrorCode">The RPC server is unavailable. 0x800706ba (WIN32: 1722)</Data> </EventData> </Event> Then we tried to create a Custom Request from the Certificate Snap-In from the Enterprise CA itself and then we got another error: The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template or the Certificate Template request attribute. Seems like others are having issues, but no fix. Any help is always appreciated.Karl

Make sure if your CA is accessible and has correct DNS records. also make sure if appropriate firewal exceptios are enabled (RPC DCOM). regarding second issue, enterprise CA can issue certificates based on predefined template and template name must be included in request. but it is possible to add template name during submission: certreq -submit -attrib "certificatetemplate:sometemplatename" file.req http://en-us.sysadmins.lv PowerShell PKI module: http://pspki.codeplex.com/

Found the issue from this other thread: http://social.technet.microsoft.com/Forums/en-GB/windowsserver2008r2general/thread/c0d13777-3f1b-4805-94a2-ac56f3cecbf3 Here were the steps it said to do: 1) Found the new group called Certificate Service DCOM Access. (Different from the old group called CERTSVC_DCOM_ACCESS) Of note, the old group had Domain Users, Computers, and Controllers in it. The new one had NOTHING in the membership list. 2) Added the Domain items (authenticated users, domain computers, domain users) to the new group. Waited for the change to replicate to all DC's 3) Ran the following command on my CA.. certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG 4) Stopped and started services (net stop certsvc, net start certsvc) 5) Went to a problem DC and ran the certutil -pulse from the command line. Karl