Read Only Domain Controller

Assume the following scenario:

A certificate-based login is performed with user or computer accounts to connect them to a wireless (IEEE 802.11 or Wireless LAN) or wired network (IEEE 802.3), or a remote access connection (e.g. DirectAccess, Routing and Remote Access (RAS), Always on VPN) to register.
The company uses Microsoft's Network Policy Server (NPS) as its Authentication, Authorization and Accounting (AAA) server.
Logging on to the network is no longer possible.
The network policy server logs the following event when a login attempt is made:

Network Policy Server denied access to a user. [...] Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The network policy server has denied access to a user. [...] Authentication error due to mismatch of user credentials. The specified username is not associated with an existing user account, or the password was incorrect.

Failed to add the following certificate templates to the enterprise Active Directory Certificate Service or update security settings on those templates: EnrollmentAgentOffline CEPEncryption IPSEC(Offline request) A referral was returned from the server. 0x8007202b (WIN32:8235 ERROR_DS_REFERRAL)

Tag: Read Only Domain Controller

Logins via the Network Policy Server (NPS) fail with reason "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers