Hi guys, Hopefully I am in the right forum! I need to enable a child domain to request certs from the root domain (user, computer certs) etc. At the moment I get an rpc unavailable error when I request an computer cert (cert mmc) from the dc in the child domain. Furthermore I found the eventid 6 "Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable." in the eventlog. The cert website is available but I have no rights to get a cert. certutil -ping gets also an rpc error. Who can tell me how I can enable the service for the child domain? Enviroment: root domain: 2dcs win2k8r2, 1ca win2k3 child domain: 2dcs I found the article http://support.microsoft.com/kb/281271 but I am not realy sure what are the right steps... Thanks in advance to a fast response! Best regards Christian

Hi Christian, Can you ensure the child domain has the latest settings from the root domain by forcing replication (see steps here: http://technet.microsoft.com/en-us/library/cc776188(WS.10).aspx)? Can you ensure the appropriate users/computers in the child domain have been given Read and Enroll permission on Certificate Templates in the root domain and that policy has replicated to the child domain? Thanks, John

Hi John, Thanks for your response! Hi Christian, Can you ensure the child domain has the latest settings from the root domain by forcing replication (see steps here:http://technet.microsoft.com/en-us/library/cc776188(WS.10).aspx)? Replication works fine and all is working. Can you ensure the appropriate users/computers in the child domain have been given Read and Enroll permission on Certificate Templates in the root domain and that policy has replicated to the child domain? Which group does need special permissions? Arent the group "auth. user" enought? I tried to install a child CA but I can not install an ad integrated CA on this site. It is greyed out?!!?! Best regards Christian

Hi, Please refer to the resolution in the following KB article: 927066 Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions" http://support.microsoft.com/default.aspx?scid=kb;EN-US;927066 Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, How's everything going? Is there any update on the issue? If you need further assistance, please do not hesitate to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.