Hi, We have 2 Windows 2008 R2 Subordinate PKI servers, in different VLANS: PKI002 and PKI003. Both VLANs are AD Sites, and both Sites have a few AD DCs. Sitting at PKI003: - certutil -ping -config pki002 works fine - Enterprise PKI (PKIView) shows everything OK Sitting at PKI002: - certutil -ping - config pki003 does NOT work (RPC server is unavailable is returned) - certutil -ping - config IP address of pki003, it then works (I have even added pki003 to the HOSTS and LMHOSTS files) - Enterprise PKI returns an error and says pki003 is offline. However, when I right click Enterprise PKI, select Manage AD containers, both the PKI servers are shown as being OK on every single tab. if i try 'certutil -ping -config pki002' from any other VLAN, I get the correct response. The firewall guys swear that the are IP-to-IP rules between the 2 PKI servers and everything shold be allowed. Both PKI servers also can see each VLANs domain controllers. can someone perhaps clarify how the 'Enterprise PKI (PKIView)' application and 'certutil -ping -config <servername>' actually function...maybe this will explain the 'RPC' issues? thank you

It looks like you have a name resoultion problem as you can use the IP address without problems "certutil -ping - config IP address of pki003, it then works". Please verify you have a working name resolution for both servers. You should be able to resolve all servers using short and fully qualified names. The certutil -ping simply connects to the ICertRequest* interface using RPC/DCOM on the server you specify using the config parameter. The Enterprise PKI tool checks the service availability in a similar way certutil does and when the service is reachable the tool performs additional controls of the CA CDP and AIA configuration and availability. /Hasain

Hi, I can resolve all server names (hostname & fqdn) via 'nslookup' to any DNS server. I can 'ping', and 'net view \\servername' all the mentioned servers. I can 'http' and 'https' to the relevant PKI servers from anywhere on the network. Just as an extra, I have added the server's names to the local HOSTS and LMHOSTS files. I have even download RPCPING from Microsoft, and the RPCPING works correctly in both directions. Have even disabled the windows firewall on both servers. Yet, 'certutil' and 'Enterprise PKI' fails.

I assume you are always logged in using domain credentials on both servers. Does certutil -ping using the servers ip address works across sires? If not, does your firewall implement any "strict RPC filtering" and may be blocking DCOM traffic? Have you tried the certutil -ping from other machines across the sites? Can you verify that certuitl -ping works withing each site to that sites CA server, please check from the CA server it self and from another client in the same site. If you try to request a certificate using a client in each site and directing the client to the local CA in that site, does that work? /Hasain

The firewall guys are reviewing their configurations one more time; will revert once resolved.