AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Installing NDES restarts CertSvc service on target CA server

Installing NDES restarts CertSvc service on target CA server

  • Comments 3
  • Likes

During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.
The registry on the target CA server is also modified to add 'DeviceSerialNumber' with the OID 2.5.4.5 to the SubjectTemplate' list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate.

The updated registry entry isn't read by the CA server until the CertSvc service is restarted which is why the NDES installation initiates a restart of the service during the setup of NDES (regardless of if it's the same box or a different machine).

This can in turn lead to problems completing the NDES setup if the total stop/start time for the CertSvc service exceeds the timeout value that the NDES service waits for the CertSvc service to start answering RPC calls again during the installation before it gives up after initiating the restart of the service.

Example;
you have a certificate database that is several Gigabytes in size (15 Gb for example) and you turn on Auditing on the CA server for Service Start/Service Stop.
Turning on Auditing for these causes ADCS to calculate a hash of the ADCS database during both startup and shutdown and this will increase the time required for both operations.
During that time period the service is up and running but the RPC interface won't become active until the hashing is completed.


Further reading:

Best Practices for Deploying and Using the Network Device Enrollment Service
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

Event ID 19 — AD CS Registry Settings

http://technet.microsoft.com/en-us/library/dd338542(v=ws.10).aspx

Comments
  • Also can be problematic if you cluster the target CAs...

  • yeah, good point

  • Also a problem with certain HSM configs.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment