alt-92 – blogIT

Be careful when implementing a Windows 2008 based Certificate Authority in a mixed 2003R2 and 2008(R2) environment. By default, the installation of the ADCS Role on a 2008 Server selects SHA2 type algorithms which are not quite compatible with Server 2003R2 SP2 or XP SP3.
You will need a hotfix.

While waiting for a new hardware setup I decided to jump the gun and upgrade my old 2003CA to 2008 in advance – a pretty straightforward process of decommissioning and deploying a new CA on a fresh 2008 install. Both my Home Theatre setup and laptop are running Vista or 7, and there’s a virtualized Core 2008 Domain Controller as well. No problems there.
However, there is still one slight snag as I’m still using a 2003 machine as second physical DC (which hosts my DFS namespace and I haven’t gotten around to upgrading that one).
After a couple of days, that machine started spewing Event ID 13 errors every eight hours in the Application log:

Event Type:    Error
Event Source:    AutoEnrollment
Event Category:    None
Event ID:    13
Date:        28-2-2011
Time:        18:14:37
User:        N/A
Computer:    MYDC
Description:
Automatic certificate enrollment for local system failed to enroll
for one Domain Controller Authentication certificate (0x80092009).
Cannot find the requested object.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Secure Channel for LDAP over SSL also breaks because of this, so you’ll see those warnings as well.

A quick look in the ADCS Snapin confirmed both the Directory Email Replication and Domain Controller Authentication certificates were trying to autoenroll but failing every 8 hours.

A search for "cannot find the requested object" quickly resolved that, pointing the way to http://support.microsoft.com/kb/968730.

After requesting the hotfix and rebooting, AutoEnroll properly processes the request again, and SSL enabled LDAP connections are restored.

More information is also available on the Windows PKI Technet Blog: http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

Comments Comments Off

Windows 7 Action Center prompts and GPO Preferences

Posted on November 2nd, 2010 in Server 2008, Windows 7 by alt-92

On a regular Windows 7 install, Action Center in Control Panel notifies the user in case settings are not set to defaults or if maintenance settings are not set – for instance, if you’ve configured Windows Update to prompt for install (and not automatically install available updates on shutdown), or Windows Backup.

Notifications are presented by means of the little Action Center flag in the systray, and a popup window:

You can disable these messages normally in the Action Center either by clicking the links provided or by changing the Action Center settings on the left.

On most Corporate networks however, Control Panel entries are either limited to user specific settings or even blocked altogether, in which case Action Center is not available but the notification will still bug you about the settings – like when you’re using SCCM for instance to install updates.

That’s not a bad thing per se, as Antivirus products also use the Action Center to notify you in case something is wrong.
Simply hiding the Action Center flag may not be the solution, that’s like sticking your head in the sand saying neenerneenerneener and waiting for that freighttrain to hit you head-on.

In that case, Group Policy Preference allows you to enter presets and disable the abovementioned prompts.
I’ve used Process Monitor to filter on the exact registry entries used to configure the settings.