Iceland vNext evolution

This blog has been my scratchpad for the last 6 years or so for noting down interesting things encountered while assisting customers get the most out of their Microsoft Environments. However, as I’m leaving Microsoft and relocating then this will be the closing entry on it. My primary goal at Microsoft was to make Windows…


Peeling the onion – how many layers should your PKI have?

I‘ve been talking to a colleague who insists a 1-tier PKI infrastructure is better than a 2-tier PKI infrastructure but without providing details on exactly why.  Is it better?  The word „Better“ is fairly meaningless as a quantitative descriptor.  If you‘re talking to someone that uses that word when describing an IT-related subject it probably…


Assigning a static RPC port to ADLDS or ADAM for replication

Just wanted to put this here as it’s not been easy to find this information anywhere: ADLDS registers a custom RPC port which is by default taken from the dynamic port range 49152-65535, this is NOT the same as the LDAP port specified for the instance. On ADAM the same thing applies but the dynamic…


God mode on Windows 8

It’ s summer, you’re bored enough to start reading random newsletters and then you pick up something useful. Create a folder on your Surface desktop with the name GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} Open The folder for a surprise…   …this incidentally also works on Windows 7.  


ADCS and dedicated CRL-signing certificates

 We’re seeing what appears to be random revocation checking failures on clients for certificates issued by our CA. The infrastructure is a 2-tier PKI with an OCSP defined on the issuing CA certificate and the CRL from the Root CA signed by a dedicated CRL-signing certificate (i.e. not the issuing cert).  We´ve observed that in cases…


PowerShelling your DC’s

The following is useful for scenarios where you want to either batch process a command online against all of the DC’s in the domain or if you have data files from all the DC’s that you want to process offline. The PS script will check for the presence of a file called dclist.csv with the…


Getting FIM CM to inventory all certificate requests made outside of the FIM CM Portal

There’s a neat policy module plug-in called “Support for non-FIM CM certificate requests” that’s available in the latest version of FIM CM 2010 R2 SP1:    After adding this plugin as a custom policy module on the CA you need to do the following: put in the SQL connection string (should already be present in…


ADFS, Antivirus and Backup and Monitoring

What do I need to do a Disaster Recovery of ADFS?What exclusions should I configure for my ADFS Server? There’s a really good Wiki article on backing up ADFS on that is a must-read for any serious deployment of ADFS. In short; a System State backup that includes all volumes of the ADFS server will be…


The Power of POSH and Get-Help

If you ever find yourself yearning to break into Powershell for extending your technological tendrils into areas normally reserved for C++ or C# developers then you’ll want to leverage the Power of the Get-Help Powershell cmdlet. Example: Let’s say you want to list all and any cmdlets that contain ‘ADFS’ or that mention ‘ADFS’ anywhere in…


Installing ADFS 2.1 on Windows Server 2012 with Windows Internal Database fails if local GPO granting User Rights is overwritten at the Domain or OU-level

During the installation of ADFS 2.1 on Windows Server 2012 the Add-Role wizard grants the local virtual account NT SERVICEMSSQL$MICROSOFT##WID that runs the WID service ‘Log on as a service‘ user rights via the Local Group policy. If the Local Group Policy that grants the user rights is overwritten by a GPO with a higher priority that also defines User Rights the…