Browse by Tags

Tagged Content List
  • Blog Post: Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2

    Hey all, Rob Greene here again. Well it’s been a very long while since I have written anything for the AskDS blog. I’ve been heads down supporting all the new cool technology from Microsoft. I wanted to see if I could head off some cases coming our way with regard to the whole SHA1 deprecation...
  • Blog Post: Troubleshooting Credential Roaming

    Hi. Jim here again from Directory Services with a follow up to my Understanding Credential Roaming blog post. To review, credential roaming makes it possible to roam the user's credentials in a manageable, secure manner that is ultimately transparent to the user. What follows is a deeper dive into the...
  • Blog Post: iPad / iPhone Certificate Issuance

    Hey all, Rob here again. It’s been a while since I have written a blog post, and this one was too interesting to pass up. I recently worked a case around deploying certificates to Apple iPhones and iPads to secure their network communications. The investigation uncovered that Apple devices can...
  • Blog Post: Certificate Authority disaster recovery steps when smartcard logon is required but no valid CRL can be published

    [Editor’s note: this is a reprinted post from the AD Troubleshooting Blog . If you’re not already a subscriber to that blog, you absolutely need to add it to your feed. Ingolfur is a Sr. Support Escalation Engineer in Sweden and a very smart dude - with rather odd hair - who deserves your attention....
  • Blog Post: Friday Mail Sack: Cluedo Edition

    Hello there folks, it's Ned . I’ve been out of pocket for a few weeks and I am moving to a new role here, plus Scott and Jonathan are busy as #$%#^& too, so that all adds up to the blog suffering a bit and the mail sack being pushed a few times. Never fear, we’re back with some goodness...
  • Blog Post: Friday Mail Sack: 1970’s Conversion Van Edition

    Hello folks, Ned here again with another ridiculously overdue Friday Mail Sack. This week we talk about patching, admin rights, Kerberos, hiring, ADMT, and PKI. Next week we talk about… nothing. I will be out celebrating an Important Wife Birthday™ and unless Jonathan takes pity on you,...
  • Blog Post: Custom Certificate Request in Windows Vista

    James Carr here and I would like to discuss creating custom certificate request in Windows Vista. When requesting certificates from a Windows 2000/2003 Enterprise Certification Authority, we will use one of the built-in certificate templates. Certificate Templates are used to tell the CA what information...
  • Blog Post: Certificate Concepts

    Hi, Brantley here. I would like to share some information with you about how digital certificates work. Understanding the concepts about how certificates work is important when troubleshooting PKI issues. Let’s start by defining digital certificate: digital certificates are electronic credentials...
  • Blog Post: The Case of the Enormous CA Database

    Hello, faithful readers! Jonathan here again. Today I want to talk a little about Certification Authority monitoring and maintenance. This topic was brought to my attention by a recent case that I had where a customer’s CA database had grown to rather elephantine proportions over the course of...
  • Blog Post: Friday Mail Sack: Get Off My Lawn Edition

    Hi folks, Ned here again. I know this is supposed to be the Friday Mail Sack but things got a little hectic and... ah heck, it doesn't need explaining, you're in IT. This week - with help from the ever-crotchety Jonathan Stephens - we talk about: Multiple WMI Filters LDAP MaxPoolThreads Many...
  • Blog Post: The PDCe with too much to do

    Hi. Mark again. As part of my role in Premier Field Engineering, I’m sometimes called upon to visit customers when they have a critical issue being worked by CTS, needing another set of eyes. For today’s discussion, I’m going to talk you through, one such visit. It was a dark and...
  • Blog Post: I’ll take NDES in the DMZ, for 1000 Alex

    Hello. Jim here yet again to talk to you about deploying Windows Server 2008 R2 with the Network Device Enrollment Services (NDES) role in a secure perimeter network. Let's consider the scenario. You have an internal PKI hierarchy consisting of an Offline Root Certificate Authority (CA), a policy CA...
  • Blog Post: Windows 2008 R2 Standard Edition supports Version 2 and 3 Templates

    Chris here again. This time I have a quick post. For those looking for reasons to either implement a PKI or potentially upgrade a PKI to Windows Server 2008 R2, the Standard Edition now supports Version 2 and 3 templates. Prior to Windows Server 2008 R2 the Certification Authority role had to be installed...
  • Blog Post: Certs On Wheels: Understanding Credential Roaming

    Hi. Jim here again from the Directory Services team. Today I will break down some of the core components of credential roaming and how it functions. To secure critical transactions such as signing, encrypting, and decrypting e-mail or authenticating identity, many environments rely on certificates. The...
  • Blog Post: Friday Mail Sack: Barbados Edition

    Hello world, Ned here again. I’m back to write this week’s mail sack – just in time to be gone for the next two weeks on vacation and work travel . In the meantime Jonathan and Scott will be running the show, so be sure to spam the heck out of them with whatever tickles you. This week...
  • Blog Post: Friday Mail Sack: “Who am I kidding, more like Monthly” Edition

    Hi folks, Ned here again with another tri-weekly Friday Mail Sack. This time we talk service auditing, trust creation, certificates and USMT, SYSVOL migration with RODCs, DFS stuff, RPC and firewalls, virtualization, and the zombie corpse of FRS. Shoot it in the head! Trusts prompting for credentials...
  • Blog Post: How to configure the Windows Server 2008 CA Web Enrollment Proxy

    Hi all, Rob here again. I had a case recently where the customer wanted to have the Windows Server 2008 Certificate Authority website loaded on another machine. For those of you that do not know, you can install the Windows Server 2008 CA web site pages on an alternate server from the CA. One reason...
  • Blog Post: Extended Validation support for websites using internal certificates

    Hey all Rob here again. One feature that that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy in order to issue certificates that can show as Extended Validation certificates. So for those of you who do not know, this means...
  • Blog Post: Designing and Implementing a PKI: Part I Design and Planning

    The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for...
  • Blog Post: The Certificate Template Manager Hangs Indefinitely

    Hey ladies and gents, Sean here again. Recently I ran into an issue with Windows Server 2003 that caused the Certificate Template Manager to hang. I’ll discuss the problem and provide solutions so you don’t get stuck wondering what’s going on if this happens to you. First, let’s talk about the symptoms...
  • Blog Post: Designing and Implementing a PKI - Series Wrapup and Downloadable Copies

    Hi all, Ned here again. We usually get asked for a more portable version of our multi-part blog posts so - for once - I am creating it before the yelling starts. Chris’ “Designing and Implementing a PKI” series is included below in a few common file formats: Download in DOX format...
  • Blog Post: Windows Server 2008 R2 CAPolicy.inf Syntax

    Greetings! This is Jonathan again. I was reviewing Chris’ excellent blog post series on designing and implementing a PKI when I realized that it would be helpful to better document the CAPolicy.inf file. The information in this post relies heavily on the information published in the Windows Server...
  • Blog Post: Replacing an Expired DRA Certificate

    Hi, Tom here from the Directory Services team. One of the most common EFS issues we see is for an expired Domain Data Recovery Agent (DRA) certificate. It is also one of the easiest things to resolve. You may have seen the error Recovery Policy for this system contains an invalid recovery certificate...
  • Blog Post: Implementing an OCSP responder: Part II - Preparing Certificate Authorities

    Chris here again. In Part I we covered some of the basics and background information on the reason for the OCSP Responder and a basic understanding of how the OCSP Responder functions. So now we look towards implementing the OCSP Responder. However, before we move forward with the Install of the OCSP...
  • Blog Post: Designing and Implementing a PKI: Part V Disaster Recovery

    The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for...