New AD CS doc: Migrating a Certification Authority from a CSP to a KSP

Just published: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) – and optionally, migrating from SHA-1 to SHA-2. If you have a CA that you installed and configured a while ago and you're now able to implement these stronger security options, use this how-to and verification…


Looking in vain for our Active Directory content? Try our new vanity URLs off for "quick access" to AD TechCenter home pages

“All my love’s in vain.” – “Love in Vain”, Robert Johnson (1911-1938) Hey folks, We know if you read this blog you love to find answers to all your Active Directory questions in our documentation on But before you can do that, you have to be able find it. As many of you know,…

Update for SetSPN – Syntax for SetSPN.exe

Breaking guidance change: Although you can use Setspn -A, you should use Setspn -S instead because -S will verify that there are no duplicate SPNs. However, if you are using Windows Server 2003 or earlier, you will not be able to use the -S switch because it is not available for that platform. In the…


Deploying Active Directory Certificate Services (AD CS) PKI two-tier hierarchy

When I was first learning about Active Directory Certificate Services (AD CS), a colleague told me that I should search on Step-by-Step Guide with AD CS. He was right, that was a good place to get started. Starting with Windows Server 2008 R2, the Test Lab Guide concept was introduced. So, if you want to…


The Hyper-V and the virtual floppy shuffle

One of the favorite ice breakers for computer geek get-together is to talk about your first computer. Hey, I still remember the TRS 80 (who people in the know call it the Trash80). If you liked something and you are proud of it and still refer to it as trash, well… So, I am usually…



I was recently alerted to the situation that not all of our Microsoft customers have adjusted their language based on the new branding of Active Directory to include more than just Active Directory Domain Services. For example, people might just be searching for Certificate Services, when we now call it internally Active Directory Certificate Services….


Updates just posted to Active Directory Certificate Services (AD CS) documentation

A few updates were just posted, so I am putting out an FYI post. I should do this more often, so I will! Anyways, here goes: 1. Slowly, but surely, the AD CS documentation is being consolidated into a single download center page: Active Directory Certificate Services (AD CS) Further, you can actually go…


Incompatibilities with CNG or V3 templates

If you have heard of Certificates Next Generation (silly name, I know), which is why people call them V3 templates at Microsoft most of the time, then you might wonder or already know that there could be some compatibility issues – the same is true for all “new” things. Just like my new office power…


Troubleshooting Certificate Autoenrollment field notes posted on TechNet Wiki

If you have trouble with Certificate Autoenrollment or have ever had issues troubleshooting certificate autoenrollment in Active Directory Certificate Services (AD CS), take a look at the notes compiled by Roger Grimes and turned into a TechNet Wiki article: Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services. Tags: troubleshooting certificate services,autoenrollment,resolve autoenrollment,troubleshoot autoenrollment


Updates made to Certificates How To. based on your feedback

I just went through and updated 16 or more resources that were posted online a while ago regarding Windows Server 2003. Seems there was not enough context with the information that was appearing in TechNet regarding the Certificates Console (certmgr.msc). I also realized that the information would be easier to follow for many people if…