Most likely, a lot of you already faced an error The RPC server is unavailable. (Exception from HRESULT: 0x800706BA). This happens when you try to connect to a remote computer or server through a specific MMC snap-in, WMI, PowerShell, WinRM, or another remote management tool.
Troubleshooting RPC server unavailable error 0x800706BA
The easiest way to test the RPC connectivity between local and remote computers is to use a simple WMI query against a remote host.
In our case, we tried to poll a remote computer through WMI from the PowerShell console.
PS C:\Windows\system32> Get-WmiObject Win32_ComputerSystem –ComputerName 192.168.0.14 Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) At line:1 char:1 + Get-WmiObject Win32_ComputerSystem –ComputerName 192.168.0.14 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException + FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
In this example, you can see that the remote computer is not accessible by RPC.
Note. If the RPC communication between your hosts is working fine, you should get the remote computer info in the command output:
Several common problems can cause the RPC server unavailable error:
- The RPC service is stopped/failed on the remote computer;
- The RPC Endpoint Mapper port TCP/135 is not accessible on the remote computer;
- The Dynamic RPC range is blocked by firewalls installed between your computer and the remote computer.
First of all, make sure RPC Endpoint Mapper port 135 in listening on a remote computer. Use the following command:
netstat -ano | find "135"
Now you need to check the next things in order to fix the error The RPC server is unavailable 0x800706BA:
- Check if you have entered the correct IP address or computer name; check if the remote computer is not in the shutdown/startup state now;
- Verify that Remote Procedure Call (RPC) and Windows Management Instrumentation services are running on the remote computer. You can check the status of services using the following commands: sc query Winmgmt and sc query rpcss. If these services are started, the commands should return STATE: 4 RUNNING. If the services are stopped, run them with the command:
net start rpcss & net start Winmgmt
- Or you can run the Service management console (services.msc) and make sure that the Remote Procedure Call (RPC) and DCOM Server Process Launcher services are in the running state and configured to start automatically.
Access to the remote computer over RPC ports may be blocked by firewalls (this is a very common reason). If there are no firewalls on your network, try temporarily disabling the firewall apps (including Windows Defender Firewall with Advanced Security) on the client and server-side and check the RPC connection. Additionally, for the RPC protocol to operate, you must check the availability of port TCP/135 (RPC Endpoint Mapper) on the remote computer side. The easiest way is to test for open/closed port is to use the following PowerShell command:
Test-NetConnection 192.168.1.14 -port 135
If the RPC service is enabled and access to it is not blocked, the TcpTestSucceeded line should contain True.
If port 135 (RPC Endpoint Mapper) is available, but the error “The RPC server is unavailable” is still present, you need to ensure that firewalls are not blocking communication on a dynamic RPC port range. The RPC Dynamic Ports is a TCP port range from 49152 to 65535, that must be open for RPC technology to work properly.
You can use a small command-line tool PortQry from Microsoft to get a list of RPC Dynamic ports via the RPC Mapper service. Use the following command to get the list of RPC endpoints from a remote Endpoint Mapper Database:
PortQry.exe -e 135 -n 192.168.1.201
In this case, 151 endpoints were found. Each RPC point has a dynamic TCP port number next to it that it is listening on. You can check the availability of the RPC port for the desired service using the PowerShell command:
Test-NetConnection 192.168.1.201 -port 49703
Many firewalls block RPC and SMB/NetBios (NetScreen) even if you have any-any rules enabled. In this case, you must specifically create a rule/policy to explicitly allow RPC dynamic ports.
Certificate Enrollment Error – 0x800706ba The RPC server is unavailable
If you are facing an error The RPC server is unavailable 0x800706ba when performing the automatic registration of a certificate on a domain controller or in a certification authority, you can find the following error event in the Event Viewer > Application log on the server:
Source: CertificateServicesClient-CertEnroll Event ID: 13
Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from ServerCA.contoso.com ServerCA (The RPC server is unavailable. 0x800706ba (WIN32: 1722))
Or:
Source: CertificateServicesClient-AutoEnrollment EventID: 6
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
When you trying to enroll the certificate you can see the following message:
An error occurred while enrolling for a certificate.
The certificate request could not be submitted to the certification authority.
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
In this case, the domain controller or other client fails to enroll for certificates from CA.
This problem can have several solutions, but in most cases, the source of the problem is your computer is a member of the group DCOM access group (DCOM access to certificate service) or the incorrect permissions are issued. Follow the next steps:
- On the domain controller on which the certification service is deployed, you need to make sure there is a domain security group CERTSVC_DCOM_ACCESS or Certificate Service DCOM Access;
- Add the following domain groups to the CERTSVC_DCOM_ACCESS/Certificate Service DCOM Access group: Domain Users, Domain Controllers, Domain Computers;
- Update the DCOM security settings on the server with the CA role using the commands:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG net stop certsvc & net start certsvc
- On a server with the deployed CA, check the COM Security permissions. This group must have Remote Access and Remote Activation permissions allowed;
- After that, try to restart the computer and check the certificate enrollment.
If the above solution doesn’t work, use the nltest command to find out problems with netlogon calls to a domain controller:
Nltest /Server:dc01 /query
Then check the Active Directory CA request interface responding:
Certutil -ping
Server “test-DC01-CA” ICertRequest2 interface is alive (62ms)
CertUtil: -ping command completed successfully.
If you receive the error “Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)” from the non-domain joined computer, ensure that “Authenticated Users” group is added to the “Certificate Service DCOM Access” group on the CA server.
- How to Shutdown Windows 10 on a Timer? - April 14, 2021
- How to Create a GUI for PowerShell Scripts? - April 9, 2021
- How to Configure Radius Server on Windows Server 2016? - April 8, 2021
Bingo! Thanks!
Thanks! Fixed my issue
When you say make sure one of the 2 listed domain security groups…where does that group need to have permissions granted? Just adding the group to the domain isn’t going to do anything.
Mine passes the nltest fine but when running the certutil -ping on the CA it passes but from any other server it does not. I get the following error:
CertUtil: No local Certification Authority: use -config option
CertUtil: -ping command FAILED: 0x80070103 (WIN32/HTTP: 259 ERROR_NO_MORE_ITEMS)
CertUtil: No more data is available.