RE: RPc server is unavailable since SP1

Hi,

Thanks for your update!

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

I. Please add corresponding users to the CERTSVC_DCOM_ACCESS security group
regarding to my initial response, please check carefully.
=================
II. Please check DCOM permissions on My Computer, please follow below steps:

1. Click Start, click Run, type dcomcnfg in the Open box, and then click
OK.

2. In Component Services, double-click Component Services, and then
double-click Computers.

3. Right-click My Computer, and then click Properties.

4. Click the COM Security tab.

5. In the Launch and Activation Permissions area, click Edit Default.

6. Click Add, type Network Service, and then click OK.

7. While Network Service is selected, click to select the Allow check boxes
for the following items:

** Local Launch
** Remote Launch
** Local Activation
** Remote Activation

Click OK two times.

Try to test, how about the result?
=======================
III. Please grant the user permissions to start the COM component

Grant the user permissions to start the COM component. To do this, follow
these steps:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry
subkey:HKEY_CLASSES_ROOT\CLSID\CLSID value

*Note: In this subkey, "CLSID value" is a placeholder for the CLSID
information that appears in the message.

3. In the right pane, double-click AppID.

The Edit String dialog box appears. Leave this dialog box open and continue
to the next step.

4. Click Start, click Run, type dcomcnfg in the Open box, and then click
OK.

If a Windows Security Alert message prompts you to keep blocking the
Microsoft Management Console program, click to unblock the program.

5. In Component Services, double-click Component Services, double-click
Computers, double-click My Computer, and then click DCOM Config.

6. In the details pane, locate the program by using the friendly name.

If the AppGUID identifier is listed instead of the friendly name, locate
the program by using this identifier.

7. Right-click the program, and then click Properties.

8. Click the Security tab.

9. In the Launch and Activation Permissions area, click Customize, and then
click Edit.

10. Click Add, type the user's account name, and then click OK.

11. While the user is selected, click to select the Allow check boxes for
the following items:

** Local Launch
** Remote Launch
** Local Activation
** Remote Activation

12. Click OK two times.
13. Quit Registry Editor.

Try to test, how about the result?
===================================
IV. If the issue persists, please try to check the GPO to see if there were
any Network Service policy settings which block the DCOM access and disable
it for test.
How about the result?

IV. Please change permissions on the Workstation Authentication template to
give Authenticated Users Read, Enroll and Autoenroll, restarted the CA and
try to test.

For computer autoenrollment to be successful, the following has to be
implemented:

In the default domain policy (or a policy that applies to the computers
that you want to autoenroll) enable autoenrollment by navigating to the
following location:
1. Computer Configuration\Windows Settings\Security Settings\Public Key
Policies
2. Right-click on Autoenrollment Settings and choose Properties to display
the autoenrollment settings.
3. Enable "Enroll Certificates Automatically" and ensure the two check
boxes beneath it are also selected.

Ensure the computer account has Read, Enroll and Autoenroll on the
appropriate template, and that the Enterprise CA has Read permissions on
the same template.
This is accomplished by adding the Authenticated Users group with Read,
Enroll and Autoenroll permissions on the template.

To find the list of templates, perform the following steps:
1. Open Active Directory Sites and Services.
2. Click the View menu and select Show Services Node.
3. Navigate to Services, Public Key Services, Certificate Templates.
4. Right-click on the appropriate template, choose Properties, click on the
Security tab and ensure Authenticated Users have Read, Enroll and
Autoenroll permissions.

For computer autoenrollment, the templates required are:
Template for Windows 2000 - Machine
Template for Windows Server 2003 - Workstation Authentication

After changing permissions on the template, restart the CA. Try to test,
how about the result?
======================================
I appreciate you time and efforts to the issue. I am currently standing by
for your test result. I am always happy to be of further assistance.

Have a nice day!

Best Regards,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: RPc server is unavailable since SP1
>thread-index: AcWxW1HoulEo4so8SlqbEiMmNmySDA==
>X-WBNR-Posting-Host: 69.118.228.182
>From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
<88gLHftrFHA.3292@xxxxxxxxxxxxxxxxxxxxx>
<6E2F27B8-AC31-4135-83A1-38BC37283E20@xxxxxxxxxxxxx>
<SEw2XU5rFHA.3396@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: RPc server is unavailable since SP1
>Date: Sun, 4 Sep 2005 07:17:02 -0700
>Lines: 338
>Message-ID: <D4EEBD28-A4E6-4413-B52F-8805F1D3FE46@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:150575
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Jenny,
>
> I ran the command and it created the group and also placed the Domain
Users
>and Domain computers into the group. i did the net stop and the net start
and
>I still get the error "RPC sercer unavailable when attempting to renew a
cert
>on either a workstation or member server. On the workstation i have a DCOM
>Error :
>
>Event Type: Error
>Event Source: DCOM
>Event Category: None
>Event ID: 10009
>Date: 9/2/2005
>Time: 2:04:01 PM
>User: NT AUTHORITY\SYSTEM
>Computer: 2373Q1U
>Description:
>DCOM was unable to communicate with the computer
>SABASSOCIATES01.sabassociates.local using any of the configured protocols.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>BELOW is the Key that is referenced in the error
>
> ncacn_ip_tcp ncacn_spx ncacn_nb_nb ncacn_nb_ipx
>
> The error still appears to generated by the DC/CA SBS2K3 SP1 BOX from
what
>I can see....
>
>
>
>
>
>
>
>
>""Jenny wu [MSFT]"" wrote:
>
>> Hi,
>>
>> Thanks for your update!
>>
>> I am sorry for showing your incorrect command. Please perform the
following
>> commands from a command prompt again:
>>
>> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
>> net stop certsvc
>> net start certsvc
>>
>> After these commands run successfully, you can find the
CERTSVC_DCOM_ACCESS
>> security group in ADUC. And then please follow the guide in my initial
post
>> to manually to add Domain Users group and Domain Computers group to the
>> CERTSVC_DCOM_ACCESS security group.
>>
>> Then run the following commands from a command prompt:
>> net stop certsvc
>> net start certsvc
>>
>> Try to test, how about the result?
>>
>> I appreciate your time and efforts to perform test. I am looking forward
to
>> your reply!
>>
>> Have a nice day!
>>
>> Best Regards,
>>
>> Jenny Wu
>> Microsoft CSS Online Newsgroup Support
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
the
>> "Notify me of replies" box to receive e-mail notifications when there
are
>> any updates in your thread. When responding to posts via your
newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>> --------------------
>> >Thread-Topic: RPc server is unavailable since SP1
>> >thread-index: AcWvPd0QY41bwRvCTMWH2PlQKPzOXQ==
>> >X-WBNR-Posting-Host: 69.118.228.182
>> >From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >References: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
>> <88gLHftrFHA.3292@xxxxxxxxxxxxxxxxxxxxx>
>> >Subject: RE: RPc server is unavailable since SP1
>> >Date: Thu, 1 Sep 2005 14:41:08 -0700
>> >Lines: 219
>> >Message-ID: <6E2F27B8-AC31-4135-83A1-38BC37283E20@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:150048
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >Jenny,
>> >
>> >this is SBS2K3 Premium and the SP1 was loaded from the ordered CD with
the
>> >ISA2004. I have run the network connectivity tests and can communicate
>> both
>> >ways, DC to Member Server and Member Server to DC and also to clients.
>> >
>> > I can not find a security group called CERTSERV_DCOM_ACCESS in the DC
>> which
>> >is also the CA. From this fact, I am leaning to the fact that this is
the
>> >problem.
>> >
>> > When SP1 was installed, there were no errors.
>> >
>> > when I try to run the 3 commands you sent, i get a message that 3 arg
are
>> >presented and 1 is expected.
>> >
>> >""Jenny wu [MSFT]"" wrote:
>> >
>> >> Hi,
>> >>
>> >> Thanks for posting here!
>> >>
>> >> For your description, I understand that
>> >>
>> >> According to your post, I understand that the auto enrollment failed
and
>> >> when the member server update certificate you get the error message
RPC
>> >> server is unavailable. If I am off-base on that, please let me know.
>> >>
>> >> The RPC server is unavailable message indicates that there are some
>> >> connectivity related issue. For example, the member server cannot
locate
>> >> the CA Server, the connection to the CA Server is disconnected or the
CA
>> >> server is off line.
>> >>
>> >> Suggestion 1:
>> >> In your scenario, please rerun CEICW to configure network connection
to
>> >> test, how about the result?
>> >>
>> >> If the issue persists, please follow below steps to try to resolve
the
>> >> issue:
>> >>
>> >> Suggestion 2:
>> >> Windows Server 2003 Service Pack 1 (SP1) introduces some enhanced
>> default
>> >> security settings for the DCOM protocol. Specifically, SP1 introduces
>> more
>> >> precise rights that give an administrator independent control over
local
>> >> and remote permissions for launching, activating, and accessing
>> COMservers.
>> >>
>> >> By default, all DCOM interfaces in Windows Server 2003 SP1 are
>> configured
>> >> to grant remote access permissions,remote launch permissions, and
remote
>> >> activation permissions only to administrators. However, when you
upgrade
>> to
>> >> Windows Server 2003 SP1, securityconfiguration changes are made to
the
>> >> global DCOM interface and to the CertSrv Request DCOM interface.
These
>> >> changes are made to enable Certificate Servicesto work correctly.
>> >>
>> >> *Note: Any changes that have been made to the CertSrv Request DCOM
>> >> interface security settings before the installation of SP1 will be
lost.
>> >> The SP1 installation procedure resets all previous security settings
in
>> the
>> >> CertSrv Request DCOM interface to their default settings.
>> >>
>> >> During the SP1 installation process, Certificate Services
automatically
>> >> updates the DCOM security settings as follows:
>> >>
>> >> 1. CertSrv Request DCOM interface:
>> >>
>> >> a. The Everyone security group is granted local and remote access
>> >> permissions.
>> >> b. The Everyone security group is granted local and remote
activation
>> >> permissions.
>> >> c. The Everyone security group is not granted local or remote launch
>> >> permissions.
>> >>
>> >> 2. DCOM Computer Restriction Settings:
>> >>
>> >> a. A new security group, CERTSVC_DCOM_ACCESS, is automatically
created.
>> >>
>> >> If the certification authority is installed on a member server,
>> >> CERTSVC_DCOM_ACCESS is a computer local group, and the Everyone
security
>> >> group is added to it.
>> >>
>> >> If the certification authority is installed on a domain controller,
>> >> CERTSVC_DCOM_ACCESS is a domain local group. The Domain Users
security
>> from
>> >> the certification authority?s domain are added to it.
>> >>
>> >> b. The CERTSVC_DCOM_ACCESS security group is granted local and
remote
>> >> access permissions.
>> >> c. The CERTSVC_DCOM_ACCESS security group is granted local and
remote
>> >> activation permissions.
>> >> d. The CERTSVC_DCOM_ACCESS security group is not granted local or
>> remote
>> >> launch permissions.
>> >>
>> >> If the certification authority is installed on a domain controller,
and
>> the
>> >> enterprise is made up of more than one domain, Certificate Services
>> cannot
>> >> automatically update the DCOM security settings for enrollees from
>> outside
>> >> the certification authority?s domain. Therefore, these enrollees will
be
>> >> denied enroll access to the certification authority.
>> >>
>> >> To resolve this issue, you must manually add the users to the
>> >> CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS
>> >> security group is a domain local group, you can add only domain
groups
>> to
>> >> it. For example, if users and computers from another domain, a domain
>> named
>> >> Contoso, have to enroll with the certification authority, you must
>> manually
>> >> add the Contoso\Domain Users group and the Contoso\Domain Computers
>> group
>> >> to the CERTSVC_DCOM_ACCESS security group.
>> >>
>> >> If any enrollees that should be authorized by the certification
>> authority
>> >> are denied authorization after the installation of SP1, you can have
>> >> Certificate Services update the DCOM security settings again. To do
>> this,
>> >> run the following commands at the command prompt in the following
order.
>> >> Press ENTER after each command.
>> >>
>> >> 1. certutil setreg SetupStatus SETUP_DCOM_SECURITY_UPDATED_FLAG
>> >> 2. net stop certsvc
>> >> 3. net start certsvc
>> >>
>> >> The DCOM_SECURITY_UPDATED_FLAG is an internal Certificate Services
>> registry
>> >> flag that indicates that the DCOM security settings were updated
>> completely
>> >> and successfully. Certificate Services checks this flag every time
that
>> it
>> >> is started. The commands in the previous list reset the flag and then

>> >> update the DCOM security settings again.
>> >>
>> >> REFERENCES
>> >> ==========
>> >> For more information about the DCOM security enhancements that are
>> >> introduced by Windows Server 2003 SP1, visit the following Microsoft
>> >> Web site:
>> >> http://go.microsoft.com/fwlink/?LinkId=39684: Changes to
Functionality
>> in
>> >> Microsoft Windows Server 2003 Service
>> >> Pack 1
>> >>
>> >> How is the result?
>> >>
>> >> If the issue persists, please help me collect some information to
>> further
>> >> troubleshooting the issue:
>> >>
>> >> 1. Have you installed CA server? In the SBS server box or some other
>> member
>> >> server?
>> >> 2. Is your sbs server standard version or premium version? Have you
>> >> installed ISA 2004?
>> >> 3. Can you give me the screen shot of the error message for further
>> analyze?
>> >> 4. On the server and one of the problematic client workstations, run
>> >> "eventvwr" (without quotation marks), check whether there is any
error
>> in
>> >> Application log and System log, if yes, double click it, click the
Copy
>> >> button and paste the full content to the Newsgroup.
>> >>
>> >> Also you can send me info to my mailbox:v-yanniw@xxxxxxxxxxxxx
>> >>
>> >> More information:
>> >> Securing Your Windows Small Business Server 2003 Network
>> >>
>>
http://www.microsoft.com/technet/security/smallbusiness/prodtech/sbs/sec_sbs
>> >> 2003_network.mspx
>> >>
>> >> I appreciate you time and efforts to the issue. I am currently
standing
>> by
>> >> for you reply. I am always happy to be of further assistance.
>> >>
>> >> Have a nice day!
>> >>
>> >> Best Regards,
>> >>
>> >> Jenny Wu
>> >> Microsoft CSS Online Newsgroup Support
>> >> Get Secure! - www.microsoft.com/security
>> >> ======================================================
>> >> This newsgroup only focuses on SBS technical issues. If you have
issues
>> >> regarding other Microsoft products, you'd better post in the
>> corresponding
>> >> newsgroups so that they can be resolved in an efficient and timely
>> manner.
>> >> You can locate the newsgroup here:
>> >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> >>
>> >> When opening a new thread via the web interface, we recommend you
check
>> the
>> >> "Notify me of replies" box to receive e-mail notifications when there
>> are
>> >> any updates in your thread. When responding to posts via your
>> newsreader,
>> >> please "Reply to Group" so that others may learn and benefit from
your
>> >> issue.
>> >>
>> >> Microsoft engineers can only focus on one issue per thread. Although
we
>> >> provide other information for your reference, we recommend you post
>> >> different incidents in different threads to keep the thread clean. In
>> doing
>> >> so, it will ensure your issues are resolved in a timely manner.
>> >>
>> >> For urgent issues, you may want to contact Microsoft CSS directly.
>> Please
>> >> check http://support.microsoft.com for regional support phone numbers.
>> >>
>> >> Any input or comments in this thread are highly appreciated.
>

.