RE: RPc server is unavailable since SP1

Jenny,

I ran the command and it created the group and also placed the Domain Users
and Domain computers into the group. i did the net stop and the net start and
I still get the error "RPC sercer unavailable when attempting to renew a cert
on either a workstation or member server. On the workstation i have a DCOM
Error :

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10009
Date: 9/2/2005
Time: 2:04:01 PM
User: NT AUTHORITY\SYSTEM
Computer: 2373Q1U
Description:
DCOM was unable to communicate with the computer
SABASSOCIATES01.sabassociates.local using any of the configured protocols.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
BELOW is the Key that is referenced in the error

ncacn_ip_tcp ncacn_spx ncacn_nb_nb ncacn_nb_ipx

The error still appears to generated by the DC/CA SBS2K3 SP1 BOX from what
I can see....








""Jenny wu [MSFT]"" wrote:

> Hi,
>
> Thanks for your update!
>
> I am sorry for showing your incorrect command. Please perform the following
> commands from a command prompt again:
>
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
> net stop certsvc
> net start certsvc
>
> After these commands run successfully, you can find the CERTSVC_DCOM_ACCESS
> security group in ADUC. And then please follow the guide in my initial post
> to manually to add Domain Users group and Domain Computers group to the
> CERTSVC_DCOM_ACCESS security group.
>
> Then run the following commands from a command prompt:
> net stop certsvc
> net start certsvc
>
> Try to test, how about the result?
>
> I appreciate your time and efforts to perform test. I am looking forward to
> your reply!
>
> Have a nice day!
>
> Best Regards,
>
> Jenny Wu
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: RPc server is unavailable since SP1
> >thread-index: AcWvPd0QY41bwRvCTMWH2PlQKPzOXQ==
> >X-WBNR-Posting-Host: 69.118.228.182
> >From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >References: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
> <88gLHftrFHA.3292@xxxxxxxxxxxxxxxxxxxxx>
> >Subject: RE: RPc server is unavailable since SP1
> >Date: Thu, 1 Sep 2005 14:41:08 -0700
> >Lines: 219
> >Message-ID: <6E2F27B8-AC31-4135-83A1-38BC37283E20@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:150048
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Jenny,
> >
> >this is SBS2K3 Premium and the SP1 was loaded from the ordered CD with the
> >ISA2004. I have run the network connectivity tests and can communicate
> both
> >ways, DC to Member Server and Member Server to DC and also to clients.
> >
> > I can not find a security group called CERTSERV_DCOM_ACCESS in the DC
> which
> >is also the CA. From this fact, I am leaning to the fact that this is the
> >problem.
> >
> > When SP1 was installed, there were no errors.
> >
> > when I try to run the 3 commands you sent, i get a message that 3 arg are
> >presented and 1 is expected.
> >
> >""Jenny wu [MSFT]"" wrote:
> >
> >> Hi,
> >>
> >> Thanks for posting here!
> >>
> >> For your description, I understand that
> >>
> >> According to your post, I understand that the auto enrollment failed and
> >> when the member server update certificate you get the error message RPC
> >> server is unavailable. If I am off-base on that, please let me know.
> >>
> >> The RPC server is unavailable message indicates that there are some
> >> connectivity related issue. For example, the member server cannot locate
> >> the CA Server, the connection to the CA Server is disconnected or the CA
> >> server is off line.
> >>
> >> Suggestion 1:
> >> In your scenario, please rerun CEICW to configure network connection to
> >> test, how about the result?
> >>
> >> If the issue persists, please follow below steps to try to resolve the
> >> issue:
> >>
> >> Suggestion 2:
> >> Windows Server 2003 Service Pack 1 (SP1) introduces some enhanced
> default
> >> security settings for the DCOM protocol. Specifically, SP1 introduces
> more
> >> precise rights that give an administrator independent control over local
> >> and remote permissions for launching, activating, and accessing
> COMservers.
> >>
> >> By default, all DCOM interfaces in Windows Server 2003 SP1 are
> configured
> >> to grant remote access permissions,remote launch permissions, and remote
> >> activation permissions only to administrators. However, when you upgrade
> to
> >> Windows Server 2003 SP1, securityconfiguration changes are made to the
> >> global DCOM interface and to the CertSrv Request DCOM interface. These
> >> changes are made to enable Certificate Servicesto work correctly.
> >>
> >> *Note: Any changes that have been made to the CertSrv Request DCOM
> >> interface security settings before the installation of SP1 will be lost.
> >> The SP1 installation procedure resets all previous security settings in
> the
> >> CertSrv Request DCOM interface to their default settings.
> >>
> >> During the SP1 installation process, Certificate Services automatically
> >> updates the DCOM security settings as follows:
> >>
> >> 1. CertSrv Request DCOM interface:
> >>
> >> a. The Everyone security group is granted local and remote access
> >> permissions.
> >> b. The Everyone security group is granted local and remote activation
> >> permissions.
> >> c. The Everyone security group is not granted local or remote launch
> >> permissions.
> >>
> >> 2. DCOM Computer Restriction Settings:
> >>
> >> a. A new security group, CERTSVC_DCOM_ACCESS, is automatically created.
> >>
> >> If the certification authority is installed on a member server,
> >> CERTSVC_DCOM_ACCESS is a computer local group, and the Everyone security
> >> group is added to it.
> >>
> >> If the certification authority is installed on a domain controller,
> >> CERTSVC_DCOM_ACCESS is a domain local group. The Domain Users security
> from
> >> the certification authority?s domain are added to it.
> >>
> >> b. The CERTSVC_DCOM_ACCESS security group is granted local and remote
> >> access permissions.
> >> c. The CERTSVC_DCOM_ACCESS security group is granted local and remote
> >> activation permissions.
> >> d. The CERTSVC_DCOM_ACCESS security group is not granted local or
> remote
> >> launch permissions.
> >>
> >> If the certification authority is installed on a domain controller, and
> the
> >> enterprise is made up of more than one domain, Certificate Services
> cannot
> >> automatically update the DCOM security settings for enrollees from
> outside
> >> the certification authority?s domain. Therefore, these enrollees will be
> >> denied enroll access to the certification authority.
> >>
> >> To resolve this issue, you must manually add the users to the
> >> CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS
> >> security group is a domain local group, you can add only domain groups
> to
> >> it. For example, if users and computers from another domain, a domain
> named
> >> Contoso, have to enroll with the certification authority, you must
> manually
> >> add the Contoso\Domain Users group and the Contoso\Domain Computers
> group
> >> to the CERTSVC_DCOM_ACCESS security group.
> >>
> >> If any enrollees that should be authorized by the certification
> authority
> >> are denied authorization after the installation of SP1, you can have
> >> Certificate Services update the DCOM security settings again. To do
> this,
> >> run the following commands at the command prompt in the following order.
> >> Press ENTER after each command.
> >>
> >> 1. certutil setreg SetupStatus SETUP_DCOM_SECURITY_UPDATED_FLAG
> >> 2. net stop certsvc
> >> 3. net start certsvc
> >>
> >> The DCOM_SECURITY_UPDATED_FLAG is an internal Certificate Services
> registry
> >> flag that indicates that the DCOM security settings were updated
> completely
> >> and successfully. Certificate Services checks this flag every time that
> it
> >> is started. The commands in the previous list reset the flag and then
> >> update the DCOM security settings again.
> >>
> >> REFERENCES
> >> ==========
> >> For more information about the DCOM security enhancements that are
> >> introduced by Windows Server 2003 SP1, visit the following Microsoft
> >> Web site:
> >> http://go.microsoft.com/fwlink/?LinkId=39684: Changes to Functionality
> in
> >> Microsoft Windows Server 2003 Service
> >> Pack 1
> >>
> >> How is the result?
> >>
> >> If the issue persists, please help me collect some information to
> further
> >> troubleshooting the issue:
> >>
> >> 1. Have you installed CA server? In the SBS server box or some other
> member
> >> server?
> >> 2. Is your sbs server standard version or premium version? Have you
> >> installed ISA 2004?
> >> 3. Can you give me the screen shot of the error message for further
> analyze?
> >> 4. On the server and one of the problematic client workstations, run
> >> "eventvwr" (without quotation marks), check whether there is any error
> in
> >> Application log and System log, if yes, double click it, click the Copy
> >> button and paste the full content to the Newsgroup.
> >>
> >> Also you can send me info to my mailbox:v-yanniw@xxxxxxxxxxxxx
> >>
> >> More information:
> >> Securing Your Windows Small Business Server 2003 Network
> >>
> http://www.microsoft.com/technet/security/smallbusiness/prodtech/sbs/sec_sbs
> >> 2003_network.mspx
> >>
> >> I appreciate you time and efforts to the issue. I am currently standing
> by
> >> for you reply. I am always happy to be of further assistance.
> >>
> >> Have a nice day!
> >>
> >> Best Regards,
> >>
> >> Jenny Wu
> >> Microsoft CSS Online Newsgroup Support
> >> Get Secure! - www.microsoft.com/security
> >> ======================================================
> >> This newsgroup only focuses on SBS technical issues. If you have issues
> >> regarding other Microsoft products, you'd better post in the
> corresponding
> >> newsgroups so that they can be resolved in an efficient and timely
> manner.
> >> You can locate the newsgroup here:
> >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> >>
> >> When opening a new thread via the web interface, we recommend you check
> the
> >> "Notify me of replies" box to receive e-mail notifications when there
> are
> >> any updates in your thread. When responding to posts via your
> newsreader,
> >> please "Reply to Group" so that others may learn and benefit from your
> >> issue.
> >>
> >> Microsoft engineers can only focus on one issue per thread. Although we
> >> provide other information for your reference, we recommend you post
> >> different incidents in different threads to keep the thread clean. In
> doing
> >> so, it will ensure your issues are resolved in a timely manner.
> >>
> >> For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> >> check http://support.microsoft.com for regional support phone numbers.
> >>
> >> Any input or comments in this thread are highly appreciated.
.