Friday Mail Sack: Guest Reply Edition

Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion ad nauseum AD PowerShell, Get-Acl, and the missing objects that aren’t… Read more

I’ll take NDES in the DMZ, for 1000 Alex

Hello. Jim here yet again to talk to you about deploying Windows Server 2008 R2 with the Network Device Enrollment Services (NDES) role in a secure perimeter network. Let’s consider the scenario. You have an internal PKI hierarchy consisting of an Offline Root Certificate Authority (CA), a policy CA, and an issuing CA. You want… Read more

Certificate Authority disaster recovery steps when smartcard logon is required but no valid CRL can be published

[Editor’s note: this is a reprinted post from the AD Troubleshooting Blog. If you’re not already a subscriber to that blog, you absolutely need to add it to your feed. Ingolfur is a Sr. Support Escalation Engineer in Sweden and a very smart dude – with rather odd hair – who deserves your attention. Make… Read more

Designing and Implementing a PKI – Series Wrapup and Downloadable Copies

Hi all, Ned here again. We usually get asked for a more portable version of our multi-part blog posts so – for once – I am creating it before the yelling starts. Chris’ “Designing and Implementing a PKI” series is included below in a few common file formats: Download in DOX format Download in XPS… Read more

Designing and Implementing a PKI: Part V Disaster Recovery

The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival Designing and Implementing a PKI:… Read more

Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival

The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival Designing and Implementing a PKI:… Read more

Friday Mail Sack: The Gang’s All Here Edition

Hi folks, Ned here again with your questions and our answers. This is a pretty long one; looks like everyone is back from vacation, winter storms, and hiding from the boss. Today we talk Kerberos, KCC, SPNs, PKI, USN journaling, DFSR, auditing, NDES, PowerShell, SIDs, RIDs, DFSN, and other random goo. Rawk! DC NIC teaming… Read more

iPad / iPhone Certificate Issuance

Hey all, Rob here again. It’s been a while since I have written a blog post, and this one was too interesting to pass up. I recently worked a case around deploying certificates to Apple iPhones and iPads to secure their network communications. The investigation uncovered that Apple devices can get certificates via the Simple… Read more

Friday Mail Sack: Barbados Edition

Hello world, Ned here again. I’m back to write this week’s mail sack – just in time to be gone for the next two weeks on vacation and work travel. In the meantime Jonathan and Scott will be running the show, so be sure to spam the heck out of them with whatever tickles you…. Read more

Moving Your Organization from a Single Microsoft CA to a Microsoft Recommended PKI

Hi, folks! Jonathan here again, and today I want to talk about what appears to be an increasingly common topic: migrating from a single Windows Certification Authority (CA) to a multi-tier hierarchy. I’m going to assume that you already have a basic understanding of Public Key Infrastructure (PKI) concepts, i. e., you know what a… Read more