Cisco – Automatic Re-enrollment Fails to MSCEP/NDES
KB ID 0000970 Problem I’ve covered setting up NDES at length in the past, but what happens when your issued certificates expire? If you are using them for all your VPNs what then? Well thankfully you can get your devices to automatically re-enroll and before they expire, for example to renew the cert at 80% of its lifetime you would use the following; crypto pki trustpoint PNL-TRUSTPOINT enrollment url...
Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’
KB ID 0001029 Problem Server: Windows Server 2012 R2 Client: Windows 8 Enterprise I was setting auto-enrollment this morning, and the computer certificates were getting issued but not the user ones. The policies were correct, the registry keys on the clients were correct, even RSOP told me the users ‘should’ be getting certificates. However nothing was working so I decided to ‘manually enroll’ and this...
Event ID 29
KB ID 0001032 Problem Seen on a Microsoft Certificate Services server running NDES. Log Name: Application Source: Microsoft-Windows-NetworkDeviceEnrollmentService Date: 04/02/2015 11:22:26 Event ID: 29 Task Category: None Level: Error Keywords: User: PETENETLIVESVC_NDES Computer: PNLPKI00v.petenetlive.com Description: The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to...
Event ID 128 – Certification Authority
KB ID 0001033 Problem Seen in the application log of a Windows Certificate Services server (Server 2012 R2) Log Name: Application Source: Microsoft-Windows-CertificationAuthority Date: 07/02/2015 15:55:26 Event ID: 128 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: PNLPKI00v.petenetlive.com Description: An Authority Key Identifier was passed as part of the certificate request 29. This feature has not been...
Server 2012 – Certificate Services – ‘HTTP Error 403.14 – Forbidden’
KB ID 0001067 Problem I spun up a new Certificate Services server on my test network today, because I needed to issue some certificates for something I’m working on. It was a pretty vanilla build, just the Certificate Services role, and the Web Enrollment feature. Solution I spent a while searching this one down, as you can see (above) it was showing me the root cause of the problem. The page you normally see when you log into...
Microsoft Certificate Services Configuring OCSP
KB ID 0001084 Problem I seem to have done a lot of PKI the last 18 months. This week I needed an OCSP server deploying for the CA server on my test bench so I took the time to document it for future use. One of the most overlooked parts of a PKI deployment, is how to cope with ‘revoking’ certificates. Traditionally this has been done with a CRL, but there is a downside to CRL’s. Network devices tend to cache them,...
Using “DCPROMO /ADV” to Promote Remote Domain Controllers
KB ID 0000106 Problem For everyone that’s ever sat in a server room/cupboard and had to wait for a server to replicate active directory from a remote site, you will appreciate just how helpful the /ADV switch is when creating a domain controller. What does it do? Well Basically it lets you build a domain controller from a backed up copy of active directory, so after a reboot the new domain controller only has to replicate the...
Adprep /forestprep fails 2003 > 2008 Domain Upgrade
KB ID 0000026 Problem While attempting to upgrage a domain to Windows 2008 (schema version 44) you get an error like this.. [Status/Consequence] Error message: Error(110) while running “”C:WINDOWSsystem32LDIFde.exe” -o Obj ectGuid -d “CN=nTFRSSubscriber-Display,CN=404,CN=DisplaySpecifiers,CN=Configurat ion,DC=DOMAIN,DC=local” -u -f “C:DOCUME~1ADMINI~1LOCALS~1TempTMP9791.tmp” -j...
Set up Remote Access PPTP VPN’s in Windows Server
KB ID 0000103 Problem You want to provide access to your corporate network for your remote users. Solution Installing the Server Role 1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles > Select Network Policy and Access Services > Next > Next 2. Select Remote Access Service > Next > Install > The Service will take awhile to install (Coffee time!). 3. When Done > Close....
Remote Server Administration Tools (On Server 2008)
KB ID 0000169 Problem After 20 minutes of Googling I was scratching my head. I wanted “Active Directory Users and Computers” on a 2008 server, that wasn’t a domain controller. I thought as Vista had the same codebase, then Vista RSAT would work, (but it wont.) Solution After a bit of stumbling around, I found it, its already on the server as a “Feature” its just not turned on. Click Start > Server...