Assume the following scenario:
- One installs a Network Device Enrollment Service (NDES) server
- One has the necessary permissions to install the role (local administrator, enterprise administrator)
- The role configuration fails with the following error message:
Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
This error does not occur on the NDES server, but on the certification authority. The NDES role configuration restarts the certification authority service during configuration.
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The NDES installation routine publishes two certificate templates on the certificate authority:
- Exchange Enrollment Agent (Offline request)
- CEP Encryption
Furthermore, the registration of the certification authority is configured so that the OID 2.5.4.5 is entered in the SubjectTemplate value.
The configuration changes become active only after restarting the certification authority service.
If auditing of the start and stop of the certification authority service is configured on the certification, a checksum of the certification authority database is created when these events are triggered (i.e. twice when the service is restarted).
The Certification Authority will record the events 4880 and 4881 write to the event log.
When the certification authority database reaches a certain size, the process of generating these checksums can take longer than the NDES installation routine waits - it times out and throws the error message that it can no longer communicate with the certification authority.
For this reason, the Certification Authority even explicitly warns against activating this audit setting.
Unless you benefit from it, it is recommended not to set this setting. After disabling it and restarting the Certificate Authority Service, the NDES installation should now work successfully.
Workaround: Install NDES without role configuration wizard
There is an option to install the NDES role without the role configuration wizard. Accordingly, the requirements that can trigger the previously described error are then omitted. How to install NDES manually is described in the article "Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions". Please note that the method described there is not supported by the manufacturer, so you will not get product support in case of error.
Related links:
- Performance problems with auditing of "Start and stop Active Directory Certificate Services".
- Configuration of security event monitoring (auditing settings) for certification authorities
- Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions
External sources
- Installing NDES restarts CertSvc service on target CA server (Microsoft, archive.org)
5 thoughts on “Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The RPC Server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)“”
Comments are closed.