Using PowerShell to clear or remove all AIA and CDP entries in Active Directory Certificate Services for Windows Server 2012

  You may have already seen that you can deploy most Windows Server 2012 role services with Windows PowerShell. If you are interested in Active Directory Certificate Services (AD CS), you’ve probably noticed the PowerShell commands for deploying all six available CA roles: AD CS Deployment Cmdlets in Windows PowerShell. You may have also noticed…


Update for SetSPN – Syntax for SetSPN.exe

Breaking guidance change: Although you can use Setspn -A, you should use Setspn -S instead because -S will verify that there are no duplicate SPNs. However, if you are using Windows Server 2003 or earlier, you will not be able to use the -S switch because it is not available for that platform. In the…


Deploying Active Directory Certificate Services (AD CS) PKI two-tier hierarchy

When I was first learning about Active Directory Certificate Services (AD CS), a colleague told me that I should search on Step-by-Step Guide with AD CS. He was right, that was a good place to get started. Starting with Windows Server 2008 R2, the Test Lab Guide concept was introduced. So, if you want to…


The Hyper-V and the virtual floppy shuffle

One of the favorite ice breakers for computer geek get-together is to talk about your first computer. Hey, I still remember the TRS 80 (who people in the know call it the Trash80). If you liked something and you are proud of it and still refer to it as trash, well… So, I am usually…



I was recently alerted to the situation that not all of our Microsoft customers have adjusted their language based on the new branding of Active Directory to include more than just Active Directory Domain Services. For example, people might just be searching for Certificate Services, when we now call it internally Active Directory Certificate Services….


Updates just posted to Active Directory Certificate Services (AD CS) documentation

A few updates were just posted, so I am putting out an FYI post. I should do this more often, so I will! Anyways, here goes: 1. Slowly, but surely, the AD CS documentation is being consolidated into a single download center page: Active Directory Certificate Services (AD CS) Further, you can actually go…


Finding the RIDs in your domain video

Here is a video I shot a while back that demonstrates how to use ADSI Edit to find the number of RIDs remaining in your domain. However, you can do this more quickly by running the following command: dcdiag /test:ridmanager /v | find /i "available RID" How to find the RIDs left in your domain…


Forest schema version 47: Windows Server 2008 R2 Adprep /forestprep

When you run adprep /forestprep, you are updating the Active Directory schema forest version. Several people have asked, what is the forest schema version for Windows Server 2008 R2. To learn more about adprep and forestprep and schema versions, read Running Adprep.exe ( If you run adprep /forestprep for Windows Server 2008 R2, confirm that…


A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server.

A common warning message for anyone who has installed Active Directory on Windows Server 2008 or Windows 2008 R2, especially on the first domain controller in a forest or domain is: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS…


Important Security Update that affects sample pages in AD CS

An important security update, described in MS11-051 ( was released today. The update fixes a cross-site scripting vulnerability in the sample web enrollment ASP pages that are part of Active Directory Certificate Services Web Enrollment in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Important: Back up any sample web enrollment sample…