I have a Windows Server 2008 domain controller that had it's domain controller certificate expire. I tried to renew it and also request a new certificate, but the message I get is "The RPC server is unavailable. The certificate request could not be submitted to the certification authority." I ran certutil -dump on the domain controller and it showed the Enterprise CA. I also ran certutil -tcainfo and got "No CA's listed in the domain". So it looks like either my CA is messed up or the info in AD is messed up. Where do I start looking to fix this?

1) Has the CA issued any other certificates lately? - Computer- User2) Check the DCOM group for certificate groups, has the Domain Controller account been added3) Create a certificates console focused on the local machine at the DC. When you manually request a certificate, what reason is given for the non-availablity for the DC cert?4) What happens if you run certutil -config "_CALogicalName" -ping ?5) What happens if you run certutil -config "_CALogicalName" -pingadmin ?Brian

Hi Swensc, Thanks for posting here. According to your description, I understand that one of your domain controller (Windows Server 2008)could not request a new certificate from the CA server. If I have misunderstood you , please do not hesitate to let me know. You may try the troubleshooting steps in the following links. How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in http://blogs.technet.com/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspxThis posting is provided "AS IS" with no warranties, and confers no rights.

1. I can request User certs and they complete succesfully.2. I checked the Certificate Service DCOM Access group and added Domain Controllers to it. There were no members when I first checked the group.3. When I request a DC cert, I get the following "The RPC server is unavailable. The certificate request could not be submitted to the certification authority." 4. I get "IcertRequest2 interface is alive. Certutil: -ping command completed successfully."5. I get "IcertRequest2 interface is alive. Certutil: -ping command completed successfully."Still cannot request and get a DC cert after all of this.

Hi Swensc, Thanks for the reply. Based upon this situation, please follow the steps below to move forward: Troubleshooting Steps:1. Log on to the problem DC.2. To see if the DS is accessible, Run certutil -ds. This will display all of the DNs for CAs, templates and other PKI related objects in the DS. 3. Run certutil -v -dstemplate DomainController and certutil -f -template DomainController The first command will look at the specified template directly in the DS and dump it. If you dont have read access to the template, it will fail. The second command will forcibly update the local registry cache of the template (only for the current user), and dump it. The first or second line of output will complain if the current user does not have enroll access for the template. 4. Run certutil -templatecas DomainController. This command will look for CAs that support the specified template. The line of output for each such CA will complain if the current user does not have enroll access for the CA. 5. Confirm both the DC and the CA must have DCOM enabled and configured correctly.Check on your DC and server by opening the Component Services snapin: Start | Run | DCOMCNFG. Once open, expand Component Services | Computers | My Computer. Right click on the Default Properties tab. a) Tick on Enable Distributed COM on this computer b) Default Authentication Level in Default Distributed COM Communication Properties is Connect c) Default Impersonation is Identify. This posting is provided "AS IS" with no warranties, and confers no rights.