Re: Error trying to Enroll user with Smart Card from Web Enrollment.

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/08/04 

Date: Tue, 7 Dec 2004 22:34:33 -0600

I have not come across that error or even tried to enroll for a user in a
child domain but here are some thoughts. If the certsrv referred to via Web
Enrollment is not a CA, make sure that the server is authorized for
delegation in it's computer account in AD Users and computers. I would also
verify that the CA is in the cert publishers group for the child domain,
though that does not appear to be the problem based on your error
description.

The RPC server is unavailable often is a problem related to mainly dns name
resolution or network connectivity to domain controllers and of course in a
forest the domain controllers in each domain need to find each other via
_srv records for trusts to work. I would verify that your dns configuration
is correct. A quick , but not foolproof test, would be to ping each computer
from the other and a domain controller in the other domain by it's fully
qualified domain name. The support tools netdiag and dcdiag can also help to
verify correct dns configuration/domain configuration in the domain/forest.
If dns is delegated to the child domain and the child domain computers are
using the child domain dns servers as their preferred dns server, it needs
to be able to resolve parent domain names via the use of a secondary zone
from the parent, conditional forwarding, or stub zone on the child zone dns
server. The links below go into more detail. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224370 -- this
applies to W2003 also.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382

"msnews.microsoft.com" <List@mcshinsky.com> wrote in message
news:exorVMK3EHA.2180@TK2MSFTNGP10.phx.gbl...
> When attempting to request a certificate for a smart card on behalf of
> another user from web enrollment I get the following error.
>
> "An unexpected error occurred. Error. An unexpected error occured.
> Error: (0x800706BA). CCertRequest Submit The RPC server is unavailable.
> 0x800706ba (WIN32: 1722)"
>
> Environment:
> 1. Standalone offline Root CA [Windows 2003 standard](not part of any
> domain)
> 2. Enterprise Subordinate CA [Windows 2003 standard] (part of parent
> domain)
> 3. Accounts domain is a child domain off of the parent.
>
> After doing many searches there were a few references to the error and
> specificly referencing the enterprise CA being in a parent domain and
> trying to publish to a child domain user account. I have followed the
> instructions of adding the parent domains Cert Publishers group to user
> objects in the child domain with the correct READ WRITE certificate
> permissions. (Q281271). Has anyone come across this in the past. If more
> info is needed, I would be glad to give it.
>
> Robert B. McShinsky
> Dartmouth Hitch*** Medical Center
>
>

Quantcast