Domain certificate error

In a multi-site scenario, I suggest, as well as the consensus, to use itself
as the first DNS entry, and the other one as the second entry, otherwise all
intial queries will be hitting the first entry across the WAN link.

Good you removed the loopback. That was put in by dcpromo.

Thank you for posting this info. All the errors indicate the CA is not
resolvable or responding. Follow Jorge's suggestions.

Also, I was curious of this part, but I didn't see it in your response:

Can you connect to the CA using a browser? If you can, you can request a
cert.

https://dcshdct02
or
http://dcshdct02

Ops, I also miss that important part about http; https access...

I figured that would be the easiest way to tell if it's working. :-)

To answer your question, I can access to http://dcshdct02/certsrv but not
the https://dcshdct02/certsrv

I already try to request a cert but I don't see any domain cert!

I see a strange behavior. If I connect to the a dc with my administrator
login then try to connect to the url : http://dcshdct02/certsrv I see
directly the web page.

But if I try this on the dcitdct01, I need to enter my credential info! May
be it's could be the problem!

Have you any idea

I do exacly what you say. But I have always the two errors :

First :

Certificate enrollment for Local system failed to enroll for a
DomainController certificate with request ID N/A from
APSHDCT02.audemarspiguet.local\audemarspiguet-APSHDCT02-CA (The RPC server
is unavailable. 0x800706ba (WIN32: 1722)).

Second :

Automatic certificate enrollment for local system failed (0x800706ba) The
RPC server is unavailable.

Using the URL with the NetBIOS name while logged on as Domain Admin, you
should immediately get the page without logging on. This is the Windows
Authentication portion doing it in IIS. Now if you are getting prompted from
the other DC, then something else is going on. But if you don't see a domain
cert, and I can't remember if that is normal or not since it should
automatically be enrolled using your GPO policy, it may be indicative of a
CA misonfiguration when you set it up.

What article or publication did you follow to set this all up?

Due to the many pieces of a CA, autoenrollment, etc, it would be quite a bit
of effort to go through what steps you took to install the CA and configure
the GPO, how you setup permissions on the template, and other specifics.
Maybe I can offer the following links. I hope they help.

Certificate Autoenrollment in Windows Server 2003Supported Hardware
(Certificate Autoenrollment in Windows Server 2003) ... Configuring Group
Policy · User Autoenrollment · Certificate Renewal ...
http://technet.microsoft.com/en-us/l...54(WS.10).aspx

Install Windows Server 2003 CAHow can I install the Certificate Authority
(CA) service in Windows Server 2003? Windows Server 2003 can be used as a
Certificate Authority (also known as.
http://www.petri.co.il/install_windo...er_2003_ca.htm

Installing and Configuring Windows Server 2003 Enterprise ...Installing and
Configuring Windows Server 2003 Enterprise Certification Authority. Topic
Last Modified: 2005-05-19. The first step in setting up your lab is ...
http://technet.microsoft.com/en-us/l...EXCHG.65).aspx

How can I enable digital certificate autoenrollment in Windows ... (Brief
overview)
Dec 5, 2005 ... A. Autoenrollment is available to Windows 2003 and Windows
XP domain ... Next you need to enable the Group Policy for the
autoenrollment. ... (You can also view Failed Requests in the Certificate
Authority MMC snap-in. ...
http://windowsitpro.com/article/arti...rver-2003.html

Alex Tcherniakhovski - Security : Certificate auto-enrollment ...Jul 3, 2007
.... For the most part configuring certificate auto-enrollment is a fairly
.... but require CA to be running on Windows 2003 Server Enterprise Edition.
.... In the GPO where the hosts reside configure the following setting ...
http://blogs.msdn.com/alextch/archiv...utoenroll.aspx

I forgot to add, the RPC Unavailable error will be part of the issue. You
said you disabled the firewall and allowed all ports, correct?

As for not being able to connect by https:// (with the 's'), that means you
never created or added an SSL cert in IIS.

As I mentioned earlier, RPC errors such as this means there is a
communication block or DNS lookup issue. I assume DNS has the DCs listed, so
I think tehre is a block going on elsewhere.

And if you add the " http://dcshdct02/certsrv" to the Local Intranet Web
Sites trust on dcitdct01?

I already saw this error, but the problem was related with cached
credentials on the requester... Can you check that please?

Good point. I forgot. :-)

Possibly run in a cmd prompt to check what credentials are stored:
Control keymgr.dll

However, I don't think it's in there. Maybe clear and restart IE?

In fact, I saw my user in the Credential manager! I remove it and restart
IE.... without success! I always need to enter my credential!

To be honest, I think that when I do a dcpromo like another server something
go wrong!

I'll try to depromate my dc, remove my dns server reboot it and do again a
dcpromo.

You've been wrestling with this for over two weeks now. Have you possibly
considered calling Microsoft PSS for assistance to get this resolved? A
single call and they can resolve everything associated with this issue in
one ticket. Just make sure you state everything in the ticket so they all
get resolved.