Understanding something in AD CS

Working on trying to figure out some items in Active Directory Certificate Services.

I stood up a new test/development domain with two DC's and installed AD CS on one of the controllers (not recommended I know, but practicing for a AD CS migration). Both DC's have a issued certificate granted to it with the "Domain Controller" certificate template. This was all automatic and nothing I did nor setup for the two DC's to automatically request and be issued a certificate.

Looking at the production domain, there are two DC's and one of the DC's has AD CS installed on it. Only one of the DC's have a Issued Certificate granted to it in the "Issued Certificates" container...the other one does not.

Shouldn't the other DC have an issued certificate in AD CS? What caused the newly stood up domain/AD CS instance to issue Domain Controller certificates automatically?

Comparing the GPO's for Auto-enrollment, I see no options in either of them.

I did discover errors in the Event Log:

Event ID: 82 - Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {61B8511A-9BFE-46A8-90D5-FB1709DADB2D} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for template: DomainController

Event ID 13 - Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from FQDN of CA\CA Name (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

Event ID 6 - Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

The DC trying to request the certificate is a newly installed 2012 R2 DC...not sure if this has anything to do with it.

Try disabling the windows firewall on the ADCS server and see if that changes anything. If it does, then you need to figure out the correct ports/services to allow through the firewall so you can turn it back on.

I don't believe the Microsoft CA will issue the cert automatically to all DCs. I think you have to go into the other DC, MMC/Certificates and request one.