Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

• One installs a Network Device Enrollment Service (NDES) server
• One has the necessary permissions to install the role (local administrator, enterprise administrator)
• The role configuration fails with the following error message:

Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

This error does not occur on the NDES server, but on the certification authority. The NDES role configuration restarts the certification authority service during configuration.

The NDES installation routine publishes two certificate templates on the certificate authority:

• Exchange Enrollment Agent (Offline request)
• CEP Encryption

Furthermore, the registration of the certification authority is configured so that the OID 2.5.4.5 is entered in the SubjectTemplate value.

The configuration changes become active only after restarting the certification authority service.

If auditing of the start and stop of the certification authority service is configured on the certification, a checksum of the certification authority database is created when these events are triggered (i.e. twice when the service is restarted).

The Certification Authority will record the events 4880 and 4881 write to the event log.

When the certification authority database reaches a certain size, the process of generating these checksums can take longer than the NDES installation routine waits - it times out and throws the error message that it can no longer communicate with the certification authority.

For this reason, the Certification Authority even explicitly warns against activating this audit setting.

Unless you benefit from it, it is recommended not to set this setting. After disabling it and restarting the Certificate Authority Service, the NDES installation should now work successfully.

Workaround: Install NDES without role configuration wizard

There is an option to install the NDES role without the role configuration wizard. Accordingly, the requirements that can trigger the previously described error are then omitted. How to install NDES manually is described in the article "Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions". Please note that the method described there is not supported by the manufacturer, so you will not get product support in case of error.

Related links:

• Performance problems with auditing of "Start and stop Active Directory Certificate Services".
• Configuration of security event monitoring (auditing settings) for certification authorities
• Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions

External sources

• Installing NDES restarts CertSvc service on target CA server (Microsoft, archive.org)