I recently migrated our network from 2 W2003 DC's to 2 W2008 DC's, these are new servers, not in place upgrades.  I installed AD CA on one of the DC's, and have since also installed it on the second DC.  The second DC is repeatedly recording Event ID13 "Certificate enrollment for Local system failed to enroll for a DomainController certificate from servername.goexpress.com\goexpress-servername-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722))" 

When I try to manually enroll it also fails stating the RPC server is unavailable.  RPC Service is started on both CA's and I added the following groups to the Built In/Certificate Service DCOM group in AD (it was previously empty):

Authenticated Users, Domain Computers, Domain Controllers, Domain Users, Everyone

I checked the security permissions on the Domain Controller certificate, they are:

Authenticated Users- Read/Write/Enroll

Domain Admin, Domain Controllers, Enterprise Admin, Enterprise DC all have Full Control. 

Under 'Failed Requests' in the Certification Authority it shows entries "The requested certificate template is not supported by this CA 0x80094800 (-2146875392) under the status code.  The disposition message reads "Denied by Policy Module"

Does anyone know how to fix this?  I thought that adding the affected DC as a CA would resolve the issue, but that is not the case.  I also tried duplicating the DC certificate template but the same error occurs if I try to request or install that as well. 

Have you checked the Windows Firewall settings?  Server 2008 is locked down compared to 2003.   
I have also found that you would need to open the MMC as an administrator to properly access the Computer certificate store.  On the new DC, open a command prompt (be sure to 'Run as Administrator').  Then type 'MMC' and open the 'Computer' certificate store.  Try to request the domain controller certificate from there. 

• Edited by Trex20165 Thursday, January 09, 2014 5:12 PM Updated info.

The firewall on both DC's is turned off and they are in the same domain

I also get the same error when launching MMC through Command prompt when its launched using 'run as administrator'

On the CA, Failed requests folder, what is the full 'Request Disposition Message'?  If you widen the column, there is additional information.  I have those errors on my CA and the full message says:

"Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: ABCWebServer."  

In my case, we submitted a request with an incorrect template name.  If you check to see what the full Request Disposition Message says, it should give you some idea of the problem.

the Request Disposition Message just says 'Denied by policy module'. The Request Status Code reads: "The DNS Name is unavailable and cannot be added to the subject alternate name. 0X8009480F (-2146875377).

I've verified that the DNS name appears in AD under AD Users and Computers when I go to Domain Controllers and  right right click the DC and select 'properties'.  When I made the manual requests for certificates, I select 'Domain Controller' for certificate then click 'details' on the right and hit the 'properties' button.  Under the 'Subject' tab I have Type left blank (DNS is not an available option there), under "Alternate" is select DNS and enter the DNS name (I actually copied it from AD and pasted it there so it matches exactly)...still get the same error

It sounds like your 2008 DC requires the SAN in the certificate but the CA is not configured to accept it.  Check out this technet article: http://support.microsoft.com/kb/931351/en-us .   We had to complete this procedure on our CA even after it was upgraded/migrated from 2003 Enterprise (32-bit) to 2008 R2 (64-bit).

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
   net stop certsvc
   net start certsvc

Note The EDITF_ATTRIBUTESUBJECTALNAME2 is only needed if the SAN is included as a request attribute.

• Edited by Trex20165 Thursday, January 09, 2014 6:19 PM Typo

Thanks Trex20165.  Before I do this, do you know if it will do any harm to edit the attributes on the CA to accept SAN if it in fact doesn't need them?  I'm hesitant to do this only because, the CA is a 2008 DC and it successfully installed the DC Certificate to itself, which leads me to believe the SAN isn't needed (otherwise it couldn't have successfully installed the certificate either).  Also, the certificate for the SubCA installed successfully onto the DC that is unable to install the DC certificate

Too many bad moves in this thread:

> I installed AD CA on one of the DC's, and have since also installed it on the second DC

BAD, it is really bad choice. You should never install CA on a domain controller. DCs are changed much more frequently than CAs (typical CA lives for about 10 years), while DCs have shorter life. You won't be able to decommission DC until you uninstall CA service. CA removal is a non-trivial decommission operation and too many administrators even cannot successfully complete CA decommission.

> servername.goexpress.com

is it the correct host name of the CA server? Is the "goexpress-servername-CA" the correct name of the CA service (CA certificate)? Just make sure that this is not an orphaned CA.

> I checked the security permissions on the Domain Controller certificate, they are: Authenticated Users- Read/Write/Enroll

what??? Seriously? Authenticated users can enroll for domain controller certificate??? And even change it???

> "The requested certificate template is not supported by this CA 0x80094800 (-2146875392) under the status code.

this error tells that specified certificate template is not added to a CA server for issuance.

> The DNS Name is unavailable and cannot be added to the subject alternate name. 0X8009480F (-2146875377).

this error tells that CA was uanble to locate required records in DNS.

> Before I do this, do you know if it will do any harm to edit the attributes on the CA to accept SAN if it in fact doesn't need them?

very good question. You should not follow provided suggestion. You must never enable SAN attribute on the CA, because it exposes a serious security hole. SAN attribute was originally designed for web enrollment. Since, web enrollment is formally dead, there are no reasons to enable this flag.

conslusion: I can expect that Active Directory isn't working very well. Check AD health with dcdiag and nslookup before you continue to change anything else. Check replication status. Next, I would not recommend to turn off built-in firewall, because it may block the traffic. Instead, the firewall must be enabled and exceptions must be configured for required applications. Moreover, Server Manager is smart enough to make required changes in the firewall when you install the role. Third, you should fix permissions on certificate templates. Authenticated users must not have Enroll or even Write permissions, they should have only Read permission on all templates.

It sounds like your 2008 DC requires the SAN in the certificate but the CA is not configured to accept it.  Check out this technet article: http://support.microsoft.com/kb/931351/en-us .   We had to complete this procedure on our CA even after it was upgraded/migrated from 2003 Enterprise (32-bit) to 2008 R2 (64-bit).

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
   net stop certsvc
   net start certsvc

Note The EDITF_ATTRIBUTESUBJECTALNAME2 is only needed if the SAN is included as a request attribute.

your recommendation is very bad. Never suggest anyone to enable SAN attributes on the CA server, because it exposes a security hole.

> I installed AD CA on one of the DC's, and have since also installed it on the second DC

BAD, it is really bad choice. You should never install CA on a domain controller. DCs are changed much more frequently than CAs (typical CA lives for about 10 years), while DCs have shorter life. You won't be able to decommission DC until you uninstall CA service. CA removal is a non-trivial decommission operation and too many administrators even cannot successfully complete CA decommission.

The certificate name is correct...I replaced the server name when I posted it on this thread but forgot to change/remove the domain name.  I've also decommissioned all the old CA's and removed all old CA's from AD Sites and Services/Public Key Services/Enrollment services

The authenticated user rights I had changed only for the DC certificate when I was troubleshooting it yesterday, I have since changed them back to read only (all other certificates are read only for Auth users).  

> "The requested certificate template is not supported by this CA 0x80094800 (-2146875392) under the status code.

this error tells that specified certificate template is not added to a CA server for issuance.

--How do I add this certificate template to the CA for issuance?  It is the DC certificate which was created when the CA was installed, shouldn't it have this right by default?

> The DNS Name is unavailable and cannot be added to the subject alternate name. 0X8009480F (-2146875377).

this error tells that CA was uanble to locate required records in DNS.

I've checked DNS Servers host files for both DC's and they are correct, what other records would it require?

conslusion: I can expect that Active Directory isn't working very well. Check AD health with dcdiag and nslookup before you continue to change anything else. Check replication status. 

Both DC's passed all DCDiag tests except for NCSecDesc, which both failed with this error (I changed domain names and server names when posting):

Starting test: NCSecDesc
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't ha
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=ForestDnsZones,DC="DOMAIN NAME",DC=com
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't ha
      Replicating Directory Changes In Filtered Set
   access rights for the naming context:
   DC=DomainDnsZones,DC="DOMAIN NAME",DC=com
   ......................... "DOMAIN CONTROLLER" failed test NCSecDesc

Both DC's found each other using NSLOOKUP and there are no other errors in AD replication on either server

We had to enable this to issue certificates for a SQL cluster.  We were advised by Microsoft support to enable this feature so a certificate with a Subject Alternative Name for the cluster could be issued.

> How do I add this certificate template to the CA for issuance?

open Certification Authority MMC snap-in, expand CA node, right-click on the Certificate Templates folder -> New -> Certificate Template to issue.

> I've checked DNS Servers host files for both DC's and they are correct, what other records would it require?

they require records from msdcs DNS folder. Looking to the dcdiag errors there issues with DNS zone replication. Please, fix all errors reported by dcdiag and only then work on CA server.

We had to enable this to issue certificates for a SQL cluster.  We were advised by Microsoft support to enable this feature so a certificate with a Subject Alternative Name for the cluster could be issued.

I believe, their recommendation was outdated or even wrong. Instead, you should pass SAN as an extension (which is authenticated) rather than unauthenticated attribute. You can open another thread with your case. When SAN is enabled as attribute, any user when requesting can pass any SAN extension value and CA will issue the certificate.

Hi,

In addition, here are some troubleshooting links below for your references:

Event 13

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=13&EvtSrc=autoenrollment&LCID=1033/

Windows Server Troubleshooting: "The RPC server is unavailable"

http://social.technet.microsoft.com/wiki/contents/articles/4494.windows-server-troubleshooting-the-rpc-server-is-unavailable.aspx

Best Regards,

Amy Wang

• Edited by Amy Wang_Moderator 3 hours 34 minutes ago