RE: RPc server is unavailable since SP1
- From: "Scott" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 5 Sep 2005 13:01:04 -0700
Jenny,
I finally called Tech Support and we found out that there is a hotfix out
related to RPC Issues in ISA 2004, also there is an "SBS Protected Networks
Access Rule" . Rt click it and "configure RPC protocol and uncheck the
"Enforce strict RPC compliance". This will allow DCOM to pass.
This in turn fixed the problem completely. Thanks for the assistance and
hopefully this will help someone else.
Scott
""Jenny wu [MSFT]"" wrote:
> Hi,
>
> Thanks for your update!
>
> I am sorry for the delayed response due to weekend. Please understand that
> the newsgroups are staffed weekdays by Microsoft Support professionals to
> answer your systems and applications questions. Your understanding is
> greatly appreciated!
>
> I. Please add corresponding users to the CERTSVC_DCOM_ACCESS security group
> regarding to my initial response, please check carefully.
> =================
> II. Please check DCOM permissions on My Computer, please follow below steps:
>
> 1. Click Start, click Run, type dcomcnfg in the Open box, and then click
> OK.
>
> 2. In Component Services, double-click Component Services, and then
> double-click Computers.
>
> 3. Right-click My Computer, and then click Properties.
>
> 4. Click the COM Security tab.
>
> 5. In the Launch and Activation Permissions area, click Edit Default.
>
> 6. Click Add, type Network Service, and then click OK.
>
> 7. While Network Service is selected, click to select the Allow check boxes
> for the following items:
>
> ** Local Launch
> ** Remote Launch
> ** Local Activation
> ** Remote Activation
>
> Click OK two times.
>
> Try to test, how about the result?
> =======================
> III. Please grant the user permissions to start the COM component
>
> Grant the user permissions to start the COM component. To do this, follow
> these steps:
>
> 1. Click Start, click Run, type regedit in the Open box, and then click OK.
> 2. Locate and then click the following registry
> subkey:HKEY_CLASSES_ROOT\CLSID\CLSID value
>
> *Note: In this subkey, "CLSID value" is a placeholder for the CLSID
> information that appears in the message.
>
> 3. In the right pane, double-click AppID.
>
> The Edit String dialog box appears. Leave this dialog box open and continue
> to the next step.
>
> 4. Click Start, click Run, type dcomcnfg in the Open box, and then click
> OK.
>
> If a Windows Security Alert message prompts you to keep blocking the
> Microsoft Management Console program, click to unblock the program.
>
> 5. In Component Services, double-click Component Services, double-click
> Computers, double-click My Computer, and then click DCOM Config.
>
> 6. In the details pane, locate the program by using the friendly name.
>
> If the AppGUID identifier is listed instead of the friendly name, locate
> the program by using this identifier.
>
> 7. Right-click the program, and then click Properties.
>
> 8. Click the Security tab.
>
> 9. In the Launch and Activation Permissions area, click Customize, and then
> click Edit.
>
> 10. Click Add, type the user's account name, and then click OK.
>
> 11. While the user is selected, click to select the Allow check boxes for
> the following items:
>
> ** Local Launch
> ** Remote Launch
> ** Local Activation
> ** Remote Activation
>
> 12. Click OK two times.
> 13. Quit Registry Editor.
>
> Try to test, how about the result?
> ===================================
> IV. If the issue persists, please try to check the GPO to see if there were
> any Network Service policy settings which block the DCOM access and disable
> it for test.
> How about the result?
>
> IV. Please change permissions on the Workstation Authentication template to
> give Authenticated Users Read, Enroll and Autoenroll, restarted the CA and
> try to test.
>
> For computer autoenrollment to be successful, the following has to be
> implemented:
>
> In the default domain policy (or a policy that applies to the computers
> that you want to autoenroll) enable autoenrollment by navigating to the
> following location:
> 1. Computer Configuration\Windows Settings\Security Settings\Public Key
> Policies
> 2. Right-click on Autoenrollment Settings and choose Properties to display
> the autoenrollment settings.
> 3. Enable "Enroll Certificates Automatically" and ensure the two check
> boxes beneath it are also selected.
>
> Ensure the computer account has Read, Enroll and Autoenroll on the
> appropriate template, and that the Enterprise CA has Read permissions on
> the same template.
> This is accomplished by adding the Authenticated Users group with Read,
> Enroll and Autoenroll permissions on the template.
>
> To find the list of templates, perform the following steps:
> 1. Open Active Directory Sites and Services.
> 2. Click the View menu and select Show Services Node.
> 3. Navigate to Services, Public Key Services, Certificate Templates.
> 4. Right-click on the appropriate template, choose Properties, click on the
> Security tab and ensure Authenticated Users have Read, Enroll and
> Autoenroll permissions.
>
> For computer autoenrollment, the templates required are:
> Template for Windows 2000 - Machine
> Template for Windows Server 2003 - Workstation Authentication
>
> After changing permissions on the template, restart the CA. Try to test,
> how about the result?
> ======================================
> I appreciate you time and efforts to the issue. I am currently standing by
> for your test result. I am always happy to be of further assistance.
>
> Have a nice day!
>
> Best Regards,
>
> Jenny Wu
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: RPc server is unavailable since SP1
> >thread-index: AcWxW1HoulEo4so8SlqbEiMmNmySDA==
> >X-WBNR-Posting-Host: 69.118.228.182
> >From: "=?Utf-8?B?U2NvdHQ=?=" <Scott@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >References: <B53BD661-D33A-4494-A22E-C390E2D9F917@xxxxxxxxxxxxx>
> <88gLHftrFHA.3292@xxxxxxxxxxxxxxxxxxxxx>
> <6E2F27B8-AC31-4135-83A1-38BC37283E20@xxxxxxxxxxxxx>
> <SEw2XU5rFHA.3396@xxxxxxxxxxxxxxxxxxxxx>
> >Subject: RE: RPc server is unavailable since SP1
> >Date: Sun, 4 Sep 2005 07:17:02 -0700
> >Lines: 338
> >Message-ID: <D4EEBD28-A4E6-4413-B52F-8805F1D3FE46@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:150575
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Jenny,
> >
> > I ran the command and it created the group and also placed the Domain
> Users
> >and Domain computers into the group. i did the net stop and the net start
> and
> >I still get the error "RPC sercer unavailable when attempting to renew a
> cert
> >on either a workstation or member server. On the workstation i have a DCOM
> >Error :
> >
> >Event Type: Error
> >Event Source: DCOM
> >Event Category: None
> >Event ID: 10009
> >Date: 9/2/2005
> >Time: 2:04:01 PM
> >User: NT AUTHORITY\SYSTEM
> >Computer: 2373Q1U
> >Description:
> >DCOM was unable to communicate with the computer
> >SABASSOCIATES01.sabassociates.local using any of the configured protocols.
> >
> >For more information, see Help and Support Center at
> >http://go.microsoft.com/fwlink/events.asp.
> >BELOW is the Key that is referenced in the error
> >
> > ncacn_ip_tcp ncacn_spx ncacn_nb_nb ncacn_nb_ipx
> >
> > The error still appears to generated by the DC/CA SBS2K3 SP1 BOX from
> what
> >I can see....
> >
> >
> >
> >
> >
> >
> >
> >
> >""Jenny wu [MSFT]"" wrote:
> >
> >> Hi,
> >>
> >> Thanks for your update!
> >>
> >> I am sorry for showing your incorrect command. Please perform the
> following
> >> commands from a command prompt again:
> >>
> >> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
> >> net stop certsvc
> >> net start certsvc
> >>
> >> After these commands run successfully, you can find the
> CERTSVC_DCOM_ACCESS
> >> security group in ADUC. And then please follow the guide in my initial
> post
> >> to manually to add Domain Users group and Domain Computers group to the
> >> CERTSVC_DCOM_ACCESS security group.
> >>
> >> Then run the following commands from a command prompt:
> >> net stop certsvc
> >> net start certsvc
> >>
> >> Try to test, how about the result?
> >>
> >> I appreciate your time and efforts to perform test. I am looking forward
> to
> >> your reply!
> >>
> >> Have a nice day!
> >>
> >> Best Regards,
> >>
> >> Jenny Wu
> >> Microsoft CSS Online Newsgroup Support
> >> Get Secure! - www.microsoft.com/security
> >> ======================================================
> >> This newsgroup only focuses on SBS technical issues. If you have issues
> >> regarding other Microsoft products, you'd better post in the
> corresponding
> >> newsgroups so that they can be resolved in an efficient and timely
> manner.
> >> You can locate the newsgroup here:
> >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> >>
> >> When opening a new thread via the web interface, we recommend you check
> the
> >> "Notify me of replies" box to receive e-mail notifications when there
> are
> >> any updates in your thread. When responding to posts via your
> newsreader,
> >> please "Reply to Group" so that others may learn and benefit from your
> >> issue.
> >>
> >> Microsoft engineers can only focus on one issue per thread. Although we
> >> provide other information for your reference, we recommend you post
> >> different incidents in different threads to keep the thread clean. In
> doing
> >> so, it will ensure your issues are resolved in a timely manner.
.
- Follow-Ups:
- RE: RPc server is unavailable since SP1
- From: "Jenny wu [MSFT]"
- RE: RPc server is unavailable since SP1
- References:
- RPc server is unavailable since SP1
- From: Scott
- RE: RPc server is unavailable since SP1
- From: "Jenny wu [MSFT]"
- RE: RPc server is unavailable since SP1
- From: Scott
- RE: RPc server is unavailable since SP1
- From: "Jenny wu [MSFT]"
- RE: RPc server is unavailable since SP1
- From: Scott
- RE: RPc server is unavailable since SP1
- From: "Jenny wu [MSFT]"
- RPc server is unavailable since SP1
- Prev by Date: Re: Mac file names too long??
- Next by Date: Re: SBS 2003: Loose ability to send emails with Exchange
- Previous by thread: RE: RPc server is unavailable since SP1
- Next by thread: RE: RPc server is unavailable since SP1
- Index(es):
Relevant Pages
|
