Adding a Windows Server 2016 Domain Controller
Nov25

Adding a Windows Server 2016 Domain Controller

KB ID 0001262 Dtd 24/11/16 Problem Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background while the wizard is doing the heavy lifting for you. Solution Obviously the server needs to be a domain member first! With a vanilla install Server Manager will open every time you...

Read More
Windows Server 2016 – Locating, Transferring, and Seizing FSMO Roles
Nov10

Windows Server 2016 – Locating, Transferring, and Seizing FSMO Roles

KB ID 0001257 Dtd 10/11/16 Problem I've written about transferring and sizing FSMO roles, (Flexible Single Master Operations) before, see the following article; Transferring Your FSMO Roles Now you have a PowerShell Commandlet to help 'Move-ADDirectoryServerOperationMasterRole'. Solution As before you can view your FSMO role holders, by using the following command. netdom query fsmo To transfer them to another server, (in the case a...

Read More
Install and Configure Certificate Enrolment Policy Web Service
Oct26

Install and Configure Certificate Enrolment Policy Web Service

KB ID 0001250 Dtd 26/10/16 Problem A client had moved a domain joined server into their DMZ, and while they had opened the correct ports for Domain Authentication on their firewall, no one had considered the certificates on the server which had expired, and could not be renewed.  Some research, pointed me towards Certificate Enrolment Web Service. Its job is to let clients enrol and renew certificates, from either non domain joined...

Read More
URI Was Validated Successfully But there Was No Friendly Name Returned
Oct22

URI Was Validated Successfully But there Was No Friendly Name Returned

KB ID 0001249 Dtd 23/10/16 Problem When attempting to connect a host to a Certificate Enrolment Policy Server it worked but had the following complaint; WARNING: The URI “https://{Host-Name}ADPolicyPRovice_CEP_{Method}/service.svc/CEP” was validated sucessfully but there was no friendly name returned by the remote machine. ¬† Solution On your certificate enrolment policy server, open the Internet Information Servers (IIS)...

Read More
Certificate Enrolment – URI This ID conflicts with an Existing ID
Oct22

Certificate Enrolment – URI This ID conflicts with an Existing ID

KB ID 0001248 Dtd 22/10/16 Problem When attempting to connect a host to a Certificate Enrolment Policy Server I got this error; The URI Entered above had ID : “{Random-GUID}”. This ID conflict with an existing ID Solution On your certificate enrolment policy server, open the Internet Information Servers (IIS) Management console. Expand {Server-Name} > Sites > Default Web Site > ADPolicyProvider_CEP_Kerberos,...

Read More
Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)
Oct12

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

KB ID 0001244 Dtd 12/10/16 Problem This is pretty much PART TWO of two posts addressing the need to migrate away from SHA1 before February 2017. Back in PART ONE we looked at how to upgrade the ROOT CA. It does not matter if it's an offline or online root CA the process is the same. In many organisations their PKI is multi tiered, they either have a RootCA <> SubCA, or a ROOTCA <> IntermediateCA <> IssuingCA. (which...

Read More