During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.The registry on the target CA server is also modified to add 'DeviceSerialNumber' with the OID 188.8.131.52 to the SubjectTemplate' list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate.
The updated registry entry isn't read by the CA server until the CertSvc service is restarted which is why the NDES installation initiates a restart of the service during the setup of NDES (regardless of if it's the same box or a different machine).
This can in turn lead to problems completing the NDES setup if the total stop/start time for the CertSvc service exceeds the timeout value that the NDES service waits for the CertSvc service to start answering RPC calls again during the installation before it gives up after initiating the restart of the service.Example; you have a certificate database that is several Gigabytes in size (15 Gb for example) and you turn on Auditing on the CA server for Service Start/Service Stop.Turning on Auditing for these causes ADCS to calculate a hash of the ADCS database during both startup and shutdown and this will increase the time required for both operations.During that time period the service is up and running but the RPC interface won't become active until the hashing is completed.
Best Practices for Deploying and Using the Network Device Enrollment Servicehttp://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspxEvent ID 19 — AD CS Registry Settingshttp://technet.microsoft.com/en-us/library/dd338542(v=ws.10).aspx
Also can be problematic if you cluster the target CAs...
yeah, good point
Also a problem with certain HSM configs.