Unable to install Network Device Enrollment Service (NDES) at a site with read-only domain controllers

Assume the following scenario:

• A network device registration service (NDES) is to be implemented in the network.
• Read Only Domain Controllers (RODC) are located at the Active Directory site of the NDES server.
• NDES role configuration fails with the following error message:

Failed to add the following certificate templates to the enterprise Active Directory Certificate Service or update security settings on those templates:
EnrollmentAgentOffline
CEPEncryption
IPSEC(Offline request)
A referral was returned from the server. 0x8007202b (WIN32:8235 ERROR_DS_REFERRAL)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

The NDES installation routine modifies among other things the certificateTemplates attribute on the pKIEnrollmentService object of the selected certification authority.

Read-only domain controllers merely refer the client to writeable domain controllers for such operations. It is therefore the task of the client (in this case the NDES installation routine) to also follow this reference, but this is not done in this case (since it is not implemented).

Once again you can see that NDES has not been further developed since Windows Server 2003 and that the Active Directory Certificate Services require more and more workarounds as they get older.

One possible solution is, install the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions, since the required adjustments can be made or omitted by the user in this case.

Related links:

• Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions
• Network Device Enrollment Service (NDES) Basics
• Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
• Limits of Microsoft Active Directory Certificate Services

External sources

• Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES) (Microsoft Corporation)
• NDES installation fails (Microsoft TechNet Forums)