Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers

Assume the following scenario:

  • A network device registration service (NDES) is to be implemented in the network.
  • Read Only Domain Controllers (RODC) are located at the Active Directory site of the NDES server.
  • NDES role configuration fails with the following error message:
Failed to add the following certificate templates to the enterprise Active Directory Certificate Service or update security settings on those templates:
IPSEC(Offline request)
A referral was returned from the server. 0x8007202b (WIN32:8235 ERROR_DS_REFERRAL)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The NDES installation routine modifies among other things the certificateTemplates attribute on the pKIEnrollmentService object of the selected certification authority.

Read-only domain controllers merely refer the client to writeable domain controllers for such operations. It is therefore the task of the client (in this case the NDES installation routine) to also follow this reference, but this is not done in this case (since it is not implemented).

Once again you can see that NDES has not been further developed since Windows Server 2003 and that the Active Directory Certificate Services require more and more workarounds as they get older.

One possible solution is, install the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions, since the required adjustments can be made or omitted by the user in this case.

Related links:

External sources