RE: RPc server is unavailable since SP1
- From: "Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 1 Sep 2005 14:41:08 -0700
Jenny,
this is SBS2K3 Premium and the SP1 was loaded from the ordered CD with the
ISA2004. I have run the network connectivity tests and can communicate both
ways, DC to Member Server and Member Server to DC and also to clients.
I can not find a security group called CERTSERV_DCOM_ACCESS in the DC which
is also the CA. From this fact, I am leaning to the fact that this is the
problem.
When SP1 was installed, there were no errors.
when I try to run the 3 commands you sent, i get a message that 3 arg are
presented and 1 is expected.
""Jenny wu [MSFT]"" wrote:
> Hi,
>
> Thanks for posting here!
>
> For your description, I understand that
>
> According to your post, I understand that the auto enrollment failed and
> when the member server update certificate you get the error message RPC
> server is unavailable. If I am off-base on that, please let me know.
>
> The RPC server is unavailable message indicates that there are some
> connectivity related issue. For example, the member server cannot locate
> the CA Server, the connection to the CA Server is disconnected or the CA
> server is off line.
>
> Suggestion 1:
> In your scenario, please rerun CEICW to configure network connection to
> test, how about the result?
>
> If the issue persists, please follow below steps to try to resolve the
> issue:
>
> Suggestion 2:
> Windows Server 2003 Service Pack 1 (SP1) introduces some enhanced default
> security settings for the DCOM protocol. Specifically, SP1 introduces more
> precise rights that give an administrator independent control over local
> and remote permissions for launching, activating, and accessing COMservers.
>
> By default, all DCOM interfaces in Windows Server 2003 SP1 are configured
> to grant remote access permissions,remote launch permissions, and remote
> activation permissions only to administrators. However, when you upgrade to
> Windows Server 2003 SP1, securityconfiguration changes are made to the
> global DCOM interface and to the CertSrv Request DCOM interface. These
> changes are made to enable Certificate Servicesto work correctly.
>
> *Note: Any changes that have been made to the CertSrv Request DCOM
> interface security settings before the installation of SP1 will be lost.
> The SP1 installation procedure resets all previous security settings in the
> CertSrv Request DCOM interface to their default settings.
>
> During the SP1 installation process, Certificate Services automatically
> updates the DCOM security settings as follows:
>
> 1. CertSrv Request DCOM interface:
>
> a. The Everyone security group is granted local and remote access
> permissions.
> b. The Everyone security group is granted local and remote activation
> permissions.
> c. The Everyone security group is not granted local or remote launch
> permissions.
>
> 2. DCOM Computer Restriction Settings:
>
> a. A new security group, CERTSVC_DCOM_ACCESS, is automatically created.
>
> If the certification authority is installed on a member server,
> CERTSVC_DCOM_ACCESS is a computer local group, and the Everyone security
> group is added to it.
>
> If the certification authority is installed on a domain controller,
> CERTSVC_DCOM_ACCESS is a domain local group. The Domain Users security from
> the certification authority?s domain are added to it.
>
> b. The CERTSVC_DCOM_ACCESS security group is granted local and remote
> access permissions.
> c. The CERTSVC_DCOM_ACCESS security group is granted local and remote
> activation permissions.
> d. The CERTSVC_DCOM_ACCESS security group is not granted local or remote
> launch permissions.
>
> If the certification authority is installed on a domain controller, and the
> enterprise is made up of more than one domain, Certificate Services cannot
> automatically update the DCOM security settings for enrollees from outside
> the certification authority?s domain. Therefore, these enrollees will be
> denied enroll access to the certification authority.
>
> To resolve this issue, you must manually add the users to the
> CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS
> security group is a domain local group, you can add only domain groups to
> it. For example, if users and computers from another domain, a domain named
> Contoso, have to enroll with the certification authority, you must manually
> add the Contoso\Domain Users group and the Contoso\Domain Computers group
> to the CERTSVC_DCOM_ACCESS security group.
>
> If any enrollees that should be authorized by the certification authority
> are denied authorization after the installation of SP1, you can have
> Certificate Services update the DCOM security settings again. To do this,
> run the following commands at the command prompt in the following order.
> Press ENTER after each command.
>
> 1. certutil setreg SetupStatus SETUP_DCOM_SECURITY_UPDATED_FLAG
> 2. net stop certsvc
> 3. net start certsvc
>
> The DCOM_SECURITY_UPDATED_FLAG is an internal Certificate Services registry
> flag that indicates that the DCOM security settings were updated completely
> and successfully. Certificate Services checks this flag every time that it
> is started. The commands in the previous list reset the flag and then
> update the DCOM security settings again.
>
> REFERENCES
> ==========
> For more information about the DCOM security enhancements that are
> introduced by Windows Server 2003 SP1, visit the following Microsoft
> Web site:
> http://go.microsoft.com/fwlink/?LinkId=39684: Changes to Functionality in
> Microsoft Windows Server 2003 Service
> Pack 1
>
> How is the result?
>
> If the issue persists, please help me collect some information to further
> troubleshooting the issue:
>
> 1. Have you installed CA server? In the SBS server box or some other member
> server?
> 2. Is your sbs server standard version or premium version? Have you
> installed ISA 2004?
> 3. Can you give me the screen shot of the error message for further analyze?
> 4. On the server and one of the problematic client workstations, run
> "eventvwr" (without quotation marks), check whether there is any error in
> Application log and System log, if yes, double click it, click the Copy
> button and paste the full content to the Newsgroup.
>
> Also you can send me info to my mailbox:v-yanniw@xxxxxxxxxxxxx
>
> More information:
> Securing Your Windows Small Business Server 2003 Network
> http://www.microsoft.com/technet/security/smallbusiness/prodtech/sbs/sec_sbs
> 2003_network.mspx
>
> I appreciate you time and efforts to the issue. I am currently standing by
> for you reply. I am always happy to be of further assistance.
>
> Have a nice day!
>
> Best Regards,
>
> Jenny Wu
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: RPc server is unavailable since SP1
> >thread-index: AcWuinncMSV9mU4VQBSIWe/HDOwmcA==
> >X-WBNR-Posting-Host: 69.118.228.182
> >From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >Subject: RPc server is unavailable since SP1
> >Date: Wed, 31 Aug 2005 17:17:02 -0700
> >Lines: 6
> >Message-ID: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:149721
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hello,
> >Since I installed SBS2K3 SP1 I am having a problem with certificates and
> >autoenrollment. Upon trying to update a certificate on a member server, I
> >receive the RPC Server is Unavailable message. This also happens on all
> other
> >machines in the domain. The big prblem is that the member server
> certificate
> >expires in 6 days.
> >
>
>
.
- Follow-Ups:
- RE: RPc server is unavailable since SP1
- From: "Jenny wu [MSFT]"
- RE: RPc server is unavailable since SP1
- References:
- RPc server is unavailable since SP1
- From: Scott
- RE: RPc server is unavailable since SP1
- From: "Jenny wu [MSFT]"
- RPc server is unavailable since SP1
- Prev by Date: RE: HELP!!!!
- Next by Date: Re: scheduling a reboot
- Previous by thread: RE: RPc server is unavailable since SP1
- Next by thread: RE: RPc server is unavailable since SP1
- Index(es):
Relevant Pages
|
