Installing NDES restarts CertSvc service on target CA server
During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.
The registry on the target CA server is also modified to add 'DeviceSerialNumber' with the OID 2.5.4.5 to the SubjectTemplate' list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ CA name \SubjectTemplate.
The updated registry entry isn't read by the CA server until the CertSvc service is restarted which is why the NDES installation initiates a restart of the service during the setup of NDES (regardless of if it's the same box or a different machine).
This can in turn lead to problems completing the NDES setup if the total stop/start time for the CertSvc service exceeds the timeout value that the NDES service waits for the CertSvc service to start answering RPC calls again during the installation before it gives up after initiating the restart of the service.
Example; you have a certificate database that is several Gigabytes in size (15 Gb for example) and you turn on Auditing on the CA server for Service Start/Service Stop.
Turning on Auditing for these causes ADCS to calculate a hash of the ADCS database during both startup and shutdown and this will increase the time required for both operations.
During that time period the service is up and running but the RPC interface won't become active until the hashing is completed.
Further reading:
Best Practices for Deploying and Using the Network Device Enrollment Service
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
Event ID 19 — AD CS Registry Settings
http://technet.microsoft.com/en-us/library/dd338542(v=ws.10).aspx
Comments
Anonymous
January 01, 2003
yeah, good pointAnonymous
December 12, 2012
Also can be problematic if you cluster the target CAs...Anonymous
March 11, 2013
Also a problem with certain HSM configs.