hello, I have a problem with AD CS on a strictly secured computer. The CERTSRV service is running and no errors are seen in event logs. The CA console is working fine, certificate templates console ok. The problem is the clients cannot enroll for certificates over the DCOM interface with The RPC server is unavailable. The CA is using a static port configured in the Component Services. Until a recent security hardening everything worked fine. I have only changed some group memberships. I would like to troubleshoot myself. It seems like the DCOM cannot start the interface for the enrollment. I would like to see any detailed tracing log of DCOM events that might help me troubleshoot. How do I enable any generic DCOM logging? Or how do I enable any AD CS detailed tracing? thank you. ondrej.

actually, the reason for the CA DCOM interface not starting is that the first enrollee who accesses tries to enroll is not member of USERS group on the CA computer. Although the user IS member of CA DCOM Access group, he also needs to be member of USERS as well. Why? How do I trace the DCOM operation. Another observation is that when the DCOM interface is already running, the user can make do even withouth being USERS member, the way I would assume it should work alwyas. ondrej.