RE: RPc server is unavailable since SP1

Hi,

Thanks for your update!

I am sorry for showing your incorrect command. Please perform the following
commands from a command prompt again:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

After these commands run successfully, you can find the CERTSVC_DCOM_ACCESS
security group in ADUC. And then please follow the guide in my initial post
to manually to add Domain Users group and Domain Computers group to the
CERTSVC_DCOM_ACCESS security group.

Then run the following commands from a command prompt:
net stop certsvc
net start certsvc

Try to test, how about the result?

I appreciate your time and efforts to perform test. I am looking forward to
your reply!

Have a nice day!

Best Regards,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: RPc server is unavailable since SP1
>thread-index: AcWvPd0QY41bwRvCTMWH2PlQKPzOXQ==
>X-WBNR-Posting-Host: 69.118.228.182
>From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
<88gLHftrFHA.3292@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: RPc server is unavailable since SP1
>Date: Thu, 1 Sep 2005 14:41:08 -0700
>Lines: 219
>Message-ID: <6E2F27B8-AC31-4135-83A1-38BC37283E20@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:150048
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Jenny,
>
>this is SBS2K3 Premium and the SP1 was loaded from the ordered CD with the
>ISA2004. I have run the network connectivity tests and can communicate
both
>ways, DC to Member Server and Member Server to DC and also to clients.
>
> I can not find a security group called CERTSERV_DCOM_ACCESS in the DC
which
>is also the CA. From this fact, I am leaning to the fact that this is the
>problem.
>
> When SP1 was installed, there were no errors.
>
> when I try to run the 3 commands you sent, i get a message that 3 arg are
>presented and 1 is expected.
>
>""Jenny wu [MSFT]"" wrote:
>
>> Hi,
>>
>> Thanks for posting here!
>>
>> For your description, I understand that
>>
>> According to your post, I understand that the auto enrollment failed and
>> when the member server update certificate you get the error message RPC
>> server is unavailable. If I am off-base on that, please let me know.
>>
>> The RPC server is unavailable message indicates that there are some
>> connectivity related issue. For example, the member server cannot locate
>> the CA Server, the connection to the CA Server is disconnected or the CA
>> server is off line.
>>
>> Suggestion 1:
>> In your scenario, please rerun CEICW to configure network connection to
>> test, how about the result?
>>
>> If the issue persists, please follow below steps to try to resolve the
>> issue:
>>
>> Suggestion 2:
>> Windows Server 2003 Service Pack 1 (SP1) introduces some enhanced
default
>> security settings for the DCOM protocol. Specifically, SP1 introduces
more
>> precise rights that give an administrator independent control over local
>> and remote permissions for launching, activating, and accessing
COMservers.
>>
>> By default, all DCOM interfaces in Windows Server 2003 SP1 are
configured
>> to grant remote access permissions,remote launch permissions, and remote
>> activation permissions only to administrators. However, when you upgrade
to
>> Windows Server 2003 SP1, securityconfiguration changes are made to the
>> global DCOM interface and to the CertSrv Request DCOM interface. These
>> changes are made to enable Certificate Servicesto work correctly.
>>
>> *Note: Any changes that have been made to the CertSrv Request DCOM
>> interface security settings before the installation of SP1 will be lost.
>> The SP1 installation procedure resets all previous security settings in
the
>> CertSrv Request DCOM interface to their default settings.
>>
>> During the SP1 installation process, Certificate Services automatically
>> updates the DCOM security settings as follows:
>>
>> 1. CertSrv Request DCOM interface:
>>
>> a. The Everyone security group is granted local and remote access
>> permissions.
>> b. The Everyone security group is granted local and remote activation
>> permissions.
>> c. The Everyone security group is not granted local or remote launch
>> permissions.
>>
>> 2. DCOM Computer Restriction Settings:
>>
>> a. A new security group, CERTSVC_DCOM_ACCESS, is automatically created.
>>
>> If the certification authority is installed on a member server,
>> CERTSVC_DCOM_ACCESS is a computer local group, and the Everyone security
>> group is added to it.
>>
>> If the certification authority is installed on a domain controller,
>> CERTSVC_DCOM_ACCESS is a domain local group. The Domain Users security
from
>> the certification authority?s domain are added to it.
>>
>> b. The CERTSVC_DCOM_ACCESS security group is granted local and remote
>> access permissions.
>> c. The CERTSVC_DCOM_ACCESS security group is granted local and remote
>> activation permissions.
>> d. The CERTSVC_DCOM_ACCESS security group is not granted local or
remote
>> launch permissions.
>>
>> If the certification authority is installed on a domain controller, and
the
>> enterprise is made up of more than one domain, Certificate Services
cannot
>> automatically update the DCOM security settings for enrollees from
outside
>> the certification authority?s domain. Therefore, these enrollees will be
>> denied enroll access to the certification authority.
>>
>> To resolve this issue, you must manually add the users to the
>> CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS
>> security group is a domain local group, you can add only domain groups
to
>> it. For example, if users and computers from another domain, a domain
named
>> Contoso, have to enroll with the certification authority, you must
manually
>> add the Contoso\Domain Users group and the Contoso\Domain Computers
group
>> to the CERTSVC_DCOM_ACCESS security group.
>>
>> If any enrollees that should be authorized by the certification
authority
>> are denied authorization after the installation of SP1, you can have
>> Certificate Services update the DCOM security settings again. To do
this,
>> run the following commands at the command prompt in the following order.
>> Press ENTER after each command.
>>
>> 1. certutil setreg SetupStatus SETUP_DCOM_SECURITY_UPDATED_FLAG
>> 2. net stop certsvc
>> 3. net start certsvc
>>
>> The DCOM_SECURITY_UPDATED_FLAG is an internal Certificate Services
registry
>> flag that indicates that the DCOM security settings were updated
completely
>> and successfully. Certificate Services checks this flag every time that
it
>> is started. The commands in the previous list reset the flag and then
>> update the DCOM security settings again.
>>
>> REFERENCES
>> ==========
>> For more information about the DCOM security enhancements that are
>> introduced by Windows Server 2003 SP1, visit the following Microsoft
>> Web site:
>> http://go.microsoft.com/fwlink/?LinkId=39684: Changes to Functionality
in
>> Microsoft Windows Server 2003 Service
>> Pack 1
>>
>> How is the result?
>>
>> If the issue persists, please help me collect some information to
further
>> troubleshooting the issue:
>>
>> 1. Have you installed CA server? In the SBS server box or some other
member
>> server?
>> 2. Is your sbs server standard version or premium version? Have you
>> installed ISA 2004?
>> 3. Can you give me the screen shot of the error message for further
analyze?
>> 4. On the server and one of the problematic client workstations, run
>> "eventvwr" (without quotation marks), check whether there is any error
in
>> Application log and System log, if yes, double click it, click the Copy
>> button and paste the full content to the Newsgroup.
>>
>> Also you can send me info to my mailbox:v-yanniw@xxxxxxxxxxxxx
>>
>> More information:
>> Securing Your Windows Small Business Server 2003 Network
>>
http://www.microsoft.com/technet/security/smallbusiness/prodtech/sbs/sec_sbs
>> 2003_network.mspx
>>
>> I appreciate you time and efforts to the issue. I am currently standing
by
>> for you reply. I am always happy to be of further assistance.
>>
>> Have a nice day!
>>
>> Best Regards,
>>
>> Jenny Wu
>> Microsoft CSS Online Newsgroup Support
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
the
>> "Notify me of replies" box to receive e-mail notifications when there
are
>> any updates in your thread. When responding to posts via your
newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>> --------------------
>> >Thread-Topic: RPc server is unavailable since SP1
>> >thread-index: AcWuinncMSV9mU4VQBSIWe/HDOwmcA==
>> >X-WBNR-Posting-Host: 69.118.228.182
>> >From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >Subject: RPc server is unavailable since SP1
>> >Date: Wed, 31 Aug 2005 17:17:02 -0700
>> >Lines: 6
>> >Message-ID: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:149721
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >Hello,
>> >Since I installed SBS2K3 SP1 I am having a problem with certificates
and
>> >autoenrollment. Upon trying to update a certificate on a member server,
I
>> >receive the RPC Server is Unavailable message. This also happens on all
>> other
>> >machines in the domain. The big prblem is that the member server
>> certificate
>> >expires in 6 days.
>> >
>>
>>
>

.