SHA1 Key Migration to SHA256 for a two tier PKI hierarchy

Hello. Jim here again to take you through the migration steps for moving your two tier PKI hierarchy from SHA1 to SHA256. I will not be explaining the differences between the two or the supportability / security implementations of either. That information is readily available, easily discoverable and is referenced in the links provided below…. Read more

Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2

  Hey all, Rob Greene here again. Well it’s been a very long while since I have written anything for the AskDS blog. I’ve been heads down supporting all the new cool technology from Microsoft. I wanted to see if I could head off some cases coming our way with regard to the whole SHA1… Read more

MD5 Signature Hash Deprecation and Your Infrastructure

Hi everyone, David here with a quick announcement. Yesterday, MSRC announced a timeframe for deprecation of built-in support for certificates that use the MD5 signature hash. You can find more information here: http://blogs.technet.com/b/srd/archive/2013/08/13/cryptographic-improvements-in-microsoft-windows.aspx Along with this announcement, we’ve released a framework which allows enterprises to test their environment for certificates that might be blocked as part of the upcoming… Read more

Intermittent Mail Sack: Must Remember to Write 2013 Edition

Hi all, Jonathan here again with the latest edition of the Intermittent Mail Sack. We’ve had some great questions over the last few weeks so I’ve got a lot of material to cover. This sack, we answer questions on: Issues upgrading DFSR hub servers to Windows Server 2012 AD FS Sign-out behavior Dynamic Access Control… Read more

RSA Key Blocking is Here!

Hello everyone. Jonathan here again with another Public Service Announcement post. Today, Microsoft has published a new Security Advisory: Microsoft Security Advisory (2661254): Update For Minimum Certificate Key Length The Security Advisory and the accompanying KB article have complete information about the software update, but the key takeaway is that this update is now available… Read more

RSA Key Blocking is Coming

Hey all, Ned here again with one of my rare public service announcement posts: In August 2012, Microsoft will issue a software update for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of RSA cryptographic keys… Read more

Friday Mail Sack: Mothers day pfffft… when is son’s day?

Hi folks, Ned here again. It’s been a little while since the last sack, but I have a good excuse: I just finished writing a poop ton of Windows Server 2012 depth training that our support folks around the world will use to make your lives easier (someday). If I ever open MS Word again… Read more

Friday Mail Sack: It’s a Dog’s Life Edition

Hi folks, Ned here again with some possibly interesting, occasionally entertaining, and always unsolicited Friday mail sack. This week we talk some: DNS partition absence Controlling DCDIAG event messaging Inventorying SYSVOL replication architecture Weird WMI DFSR volume paths Tightening up your inactive user account queries More logon banner info Smart card logons working “too well“… Read more

Friday Mail Sack: Best Post This Year Edition

Hi folks, Ned here and welcoming you to 2012 with a new Friday Mail Sack. Catching up from our holiday hiatus, today we talk about: Disabling Administrative Shares Making Get-ADDomainController useful’er Kerberos group bloat USMT moving profiles back from other disks The DFSR service and backups AGPM and “out of band” built-in policy changes USMT… Read more

Friday Mail Sack: Guest Reply Edition

Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion ad nauseum AD PowerShell, Get-Acl, and the missing objects that aren’t… Read more