Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server
  • One has the necessary permissions to install the role (local administrator, enterprise administrator)
  • The role configuration fails with the following error message:
Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

This error does not occur on the NDES server, but on the certification authority. The NDES role configuration restarts the certification authority service during configuration.

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The NDES installation routine publishes two certificate templates on the certificate authority:

  • Exchange Enrollment Agent (Offline request)
  • CEP Encryption

Furthermore, the registration of the certification authority is configured so that the OID 2.5.4.5 is entered in the SubjectTemplate value.

The configuration changes become active only after restarting the certification authority service.

If auditing of the start and stop of the certification authority service is configured on the certification, a checksum of the certification authority database is created when these events are triggered (i.e. twice when the service is restarted).

The Certification Authority will record the events 4880 and 4881 write to the event log.

When the certification authority database reaches a certain size, the process of generating these checksums can take longer than the NDES installation routine waits - it times out and throws the error message that it can no longer communicate with the certification authority.

For this reason, the Certification Authority even explicitly warns against activating this audit setting.

Unless you benefit from it, it is recommended not to set this setting. After disabling it and restarting the Certificate Authority Service, the NDES installation should now work successfully.

Workaround: Install NDES without role configuration wizard

There is an option to install the NDES role without the role configuration wizard. Accordingly, the requirements that can trigger the previously described error are then omitted. How to install NDES manually is described in the article "Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions". Please note that the method described there is not supported by the manufacturer, so you will not get product support in case of error.

Related links:

External sources

en_USEnglish