Most likely, a lot of you already faced an error The RPC server is unavailable. (Exception from HRESULT: 0x800706BA). This happens when you try to connect to a remote computer or server through a specific MMC snap-in, WMI, PowerShell, WinRM, or another remote management tool.
Troubleshooting RPC server unavailable error 0x800706BA
The easiest way to test the RPC connectivity between the local and remote computer is to run a simple WMI query against a remote host.
In our case, we tried to query a remote computer through WMI from the PowerShell console.
PS C:\Windows\system32> Get-WmiObject Win32_ComputerSystem –ComputerName 192.168.0.14
Get-WmiObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
At line:1 char:1
+ Get-WmiObject Win32_ComputerSystem –ComputerName 192.168.0.14
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], COMException
+ FullyQualifiedErrorId : GetWMICOMException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
In this example, you can see that the remote computer is not accessible via RPC.
Note. If the RPC communication between your hosts is working fine, you should get the remote computer info in the command output:
Several common problems can cause the RPC server unavailable error:
- The remote computer is switched off or there are other connectivity issues when the RPC client cannot reach the server due to a general network problem;
- The RPC service is stopped/failed on the remote computer;
- The RPC Endpoint Mapper port TCP/135 is not accessible on the remote computer;
- The Dynamic RPC port range is blocked by firewalls between your computer and the remote computer.
First of all, make sure RPC Endpoint Mapper port 135 is listening on a remote computer. Use the following command:
netstat -ano | find "135"
Now you need to check the next things in order to fix the error The RPC server is unavailable 0x800706BA:
- Check if you have entered the correct IP address or computer name; check if the remote computer is not currently in a shutdown/startup state;
- Verify that the Remote Procedure Call (RPC) and Windows Management Instrumentation services are running on the remote computer. You can check the status of the services using the following commands: sc query Winmgmt and sc query rpcss. If these services are started, the commands should return STATE: 4 RUNNING. If the services are stopped, run them with the command:
net start rpcss & net start Winmgmt
- Or you can run the Service management console GUI (services.msc) and make sure that the Remote Procedure Call (RPC) and DCOM Server Process Launcher services are in the running state and configured to start automatically.
Firewalls may block access to the remote computer through RPC ports (this is a very common reason). If there are no firewalls on your network, try temporarily disabling the firewall apps (including Windows Defender Firewall with Advanced Security) on both the client and server sides and check the RPC connectivity. Additionally, for the RPC protocol to operate, you must check the availability of port TCP/135 (RPC Endpoint Mapper) on the remote computer side. The easiest way to test for open/closed ports is to use the following PowerShell command:
Test-NetConnection 192.168.1.14 -port 135
If the RPC service is enabled and access to it is not blocked, the TcpTestSucceeded line should contain True.
If port 135 (RPC Endpoint Mapper) is available, but the error “The RPC server is unavailable” is still present, you need to ensure that firewalls are not blocking communication on a dynamic RPC port range. The RPC Dynamic Ports is a TCP port ranging from 49152 to 65535, that must be open for RPC technology to work properly.
Check that the Windows Defender firewall has rules that allow inbound traffic on port 135 (RPC Endpoint Mapper) and the TCP RPC Dynamic Ports range. If there are no rules for inbound RPC traffic (they have been removed), you will need to create them manually.
In Windows 2003 and Windows XP, the range of ports that are used for RPC is 1024 — 65535. In current versions of Windows, the Dynamic RPC port range uses ports from 49152 to 65535. Windows allows you to change the available RPC port range via the registry. This is often used when you need to restrict the open port range for RPC on the firewall.
For example, to restrict RPC ports to a range of 6000-6100, create the following registry settings in the HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc key:
Name | Type | Value |
Ports | REG_SZ | 6000-6100 |
PortsInternetAvailable | REG_SZ | Y |
UseInternetPorts | REG_SZ | Y |
You can force Windows Defender Firewall to open the specified range of TCP ports.
Restart all services and applications that use dynamic RPC port allocation.
You can use a small command-line tool PortQry from Microsoft to get a list of RPC Dynamic ports used by the RPC Mapper service. Use the following command to get the list of RPC endpoints from a remote Endpoint Mapper Database:
PortQry.exe -e 135 -n 192.168.1.201
In this case, 151 endpoints were found. Each RPC point has a dynamic TCP port number next to it that it is listening on. You can check the availability of the RPC port for the desired service using the PowerShell command:
Test-NetConnection 192.168.1.201 -port 49703
Many firewalls block RPC and SMB/NetBIOS even if you have any-any rules enabled. In this case, you must specifically create a rule/policy to explicitly allow RPC dynamic ports.
Note. Windows RPC/DCOM connections often don’t work correctly when NAT is used. Try to connect to your RPC server directly, without using NAT.
Certificate Enrollment Error – 0x800706ba The RPC server is unavailable
If you are facing an error The RPC server is unavailable 0x800706ba when performing the automatic registration of a certificate on a domain controller or in a certification authority, you can find the following error event in the Event Viewer > Application log on the server:
Source: CertificateServicesClient-CertEnroll Event ID: 13
Certificate enrollment for the Local system failed to enroll for a DomainController certificate with request ID N/A from ServerCA.contoso.com ServerCA (The RPC server is unavailable. 0x800706ba (WIN32: 1722))
Or:
Source: CertificateServicesClient-AutoEnrollment EventID: 6
Automatic certificate enrollment for the local system failed (0x800706ba) The RPC server is unavailable.
When you try to enroll the certificate you can see the following message:
An error occurred while enrolling for a certificate.
The certificate request could not be submitted to the certification authority.
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
In this case, the domain controller or other client fails to enroll for certificates from the CA.
This problem can have several solutions, but in most cases, the source of the problem is that your computer is not a member of the DCOM access group (allows access to the certificate service via DCOM) or incorrect permissions are issued. This most commonly occurs when the CA is installed on a DC.
Follow the next steps:
- On the domain controller on which the certification service is deployed, you need to make sure there is an Active Directory group CERTSVC_DCOM_ACCESS or Certificate Service DCOM Access.
Note. If the CERTSVC_DCOM_ACCESS security group has been accidentally deleted, open the ADUC console and manually create it in the Users container (Group scope: Domain local, Group type: Security). - Add the following domain groups to the CERTSVC_DCOM_ACCESS/Certificate Service DCOM Access group: Domain Users, Domain Controllers, Domain Computers;
- Update the DCOM security settings on the server with the CA role using the commands:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG net stop certsvc & net start certsvc
- On a server where the CA is deployed, check the COM security permissions. This group must have Remote Access and Remote Activation permissions allowed;
- After that, try to restart the computer and check the certificate enrollment.
Then check the DCOM Permissions on the server running the CA role. In some cases, even if RPC is configured correctly, incorrect DCOM permissions can block remote authentication.
- Run the command dcomcnfg.exe;
- Expand the section Component Services > Computers > My computer;
- Open the properties of My computer, go to the Default Properties tab, and ensure that the option Enable Distributed COM on this computer is checked;
- Then navigate to the COM Security tab and click on the Edit Limits button in the Access Permissions section. Check that the Certificate Service DCOM Access security group has Local Access and Remote Access permissions;
- Then click the Edit Limits button in the Launch and Activation Permission section and check that the Certificate Service DCOM Access group is allowed for Local Activation and Remote Activation.
If the above solution doesn’t work, use the nltest command to find out problems with netlogon calls to a domain controller:
Nltest /Server:dc01 /query
Then check that the Active Directory CA request interface is responding:
Certutil -ping
Server “test-DC01-CA” ICertRequest2 interface is alive (62ms)
CertUtil: -ping command completed successfully.
In order to trigger the renewal of a certificate on the CA, run the following command:
certutil –pulse
If you receive the error “Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)” from the non-domain joined computer, ensure that the “Authenticated Users” group is added to the “Certificate Service DCOM Access” group on the CA server.
RPC Server Unavailable Error when Updating Group Policy Settings
When you remotely update Group Policy settings on domain computers from the Group Policy Management Console (gpmc.msc), you may receive error codes 8007071a: The remote procedure call was canceled and 800706ba:The RPC server is unavailable.
To resolve this issue, you must enable the following rules in Windows Defender Firewall:
- Remote Scheduled Tasks Management (RPC);
- Remote Scheduled Tasks Management (RPC-EPMAP);
- Windows Management Instrumentations (ASync-In);
- Windows Management Instrumentations (DCOM-In);
- Windows Management Instrumentations (WMI-In);
- Windows Management Instrumentations (DCOM-In);
- Windows Remote Management (HTTP-In).
You can create a new GPO and enable these rules manually (Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall > Inbound Rules).
Or you can activate the following default Starter GPOs:
- Group Policy Remote Update Firewall Ports;
- Group Policy Reporting Firewall Ports.
These policies contain all the necessary Windows Defender Firewall rules to remotely update Group Policy settings.
Go to the Starter GPOs section, click on each of the items, and select New GPO from Starter GPO. Create new GPOs and assign them to Organizational Units with target computers or servers.
After a while, try a remote Group Policy update. The error should disappear.
10 comments
Bingo! Thanks!
Thanks! Fixed my issue
When you say make sure one of the 2 listed domain security groups…where does that group need to have permissions granted? Just adding the group to the domain isn’t going to do anything.
Mine passes the nltest fine but when running the certutil -ping on the CA it passes but from any other server it does not. I get the following error:
CertUtil: No local Certification Authority: use -config option
CertUtil: -ping command FAILED: 0x80070103 (WIN32/HTTP: 259 ERROR_NO_MORE_ITEMS)
CertUtil: No more data is available.
Same result
Thank you so much for the share. Was looking for a solution for this issue for a while and this is the only doc I found that gave me the key!
netstat -ano | find ‘”135″‘
You need double quotes when piping to find.
Spent a day chasing this error.
I had a happily working Certificate server for nine years and it suddenly fell over.
Went down the RPC server unavailable rabbithole
However it was resolved by checking through the autoenrollment settings.
I had configured them in a GPO for a Wifi that was old so I deleted it, not realising I would also delete the autoenrollment
Once they were reinstanted the RPC error dissapeared
Thank you this worked. Internal Certificate Authority running on a domain controller for 5 years without issue and today after the root certificate expired things broke. Reissued a new root certificate but still broken until I went through the steps here and it fixed the issue. Certificate Authority is now issuing certificates again.
Thank you for this. I have, I think , gone over all these steps. I cannot find any security group called “COM” in my 2019 Active Directory though?
thanks for any help
Thanks a bunch.
We had to upgrade a CA server 2012 r2 to 2019 (not ideal, we know) and the RPC error happened and updating the DCOM security settings fixed it.