New AD CS doc: Migrating a Certification Authority from a CSP to a KSP

Just published: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) – and optionally, migrating from SHA-1 to SHA-2. If you have a CA that you installed and configured a while ago and you're now able to implement these stronger security options, use this how-to and verification…


Looking in vain for our Active Directory content? Try our new vanity URLs off for "quick access" to AD TechCenter home pages

“All my love’s in vain.” – “Love in Vain”, Robert Johnson (1911-1938) Hey folks, We know if you read this blog you love to find answers to all your Active Directory questions in our documentation on But before you can do that, you have to be able find it. As many of you know,…

Using PowerShell to clear or remove all AIA and CDP entries in Active Directory Certificate Services for Windows Server 2012

  You may have already seen that you can deploy most Windows Server 2012 role services with Windows PowerShell. If you are interested in Active Directory Certificate Services (AD CS), you’ve probably noticed the PowerShell commands for deploying all six available CA roles: AD CS Deployment Cmdlets in Windows PowerShell. You may have also noticed…


The Hyper-V and the virtual floppy shuffle

One of the favorite ice breakers for computer geek get-together is to talk about your first computer. Hey, I still remember the TRS 80 (who people in the know call it the Trash80). If you liked something and you are proud of it and still refer to it as trash, well… So, I am usually…



I was recently alerted to the situation that not all of our Microsoft customers have adjusted their language based on the new branding of Active Directory to include more than just Active Directory Domain Services. For example, people might just be searching for Certificate Services, when we now call it internally Active Directory Certificate Services….


Updates just posted to Active Directory Certificate Services (AD CS) documentation

A few updates were just posted, so I am putting out an FYI post. I should do this more often, so I will! Anyways, here goes: 1. Slowly, but surely, the AD CS documentation is being consolidated into a single download center page: Active Directory Certificate Services (AD CS) Further, you can actually go…


Important Security Update that affects sample pages in AD CS

An important security update, described in MS11-051 ( was released today. The update fixes a cross-site scripting vulnerability in the sample web enrollment ASP pages that are part of Active Directory Certificate Services Web Enrollment in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Important: Back up any sample web enrollment sample…


Incompatibilities with CNG or V3 templates

If you have heard of Certificates Next Generation (silly name, I know), which is why people call them V3 templates at Microsoft most of the time, then you might wonder or already know that there could be some compatibility issues – the same is true for all “new” things. Just like my new office power…


PKI Design "Brief Overview"

I am really trying to make this TechNet Wiki article PKI Design Brief Overview a place from which we can answer the basic questions regarding PKI design and then point off to the more detailed information. Feel free to review this document. If you have pointers to great resources regarding PKI Design that are…


Troubleshooting Certificate Autoenrollment field notes posted on TechNet Wiki

If you have trouble with Certificate Autoenrollment or have ever had issues troubleshooting certificate autoenrollment in Active Directory Certificate Services (AD CS), take a look at the notes compiled by Roger Grimes and turned into a TechNet Wiki article: Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services. Tags: troubleshooting certificate services,autoenrollment,resolve autoenrollment,troubleshoot autoenrollment