While waiting for a new hardware setup I decided to jump the gun and upgrade my old 2003CA to 2008 in advance – a pretty straightforward process of decommissioning and deploying a new CA on a fresh 2008 install.  Both my Home Theatre setup and laptop are running Vista or 7, and there’s a virtualized Core 2008 Domain Controller as well. No problems there.
However, there is still one slight snag as I’m still using a 2003 machine as second physical DC (which hosts my DFS namespace and I haven’t gotten around to upgrading that one).
After a couple of days, that machine started spewing Event ID 13 errors every eight hours in the Application log:

Event Type:    Error
Event Source:    AutoEnrollment
Event Category:    None
Event ID:    13
Date:        28-2-2011
Time:        18:14:37
User:        N/A
Computer:    MYDC
Description:
Automatic certificate enrollment for local system failed to enroll
for one Domain Controller Authentication certificate (0x80092009).
Cannot find the requested object.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Secure Channel for LDAP over SSL also breaks because of this, so you’ll see those warnings as well.

A quick look in the ADCS Snapin confirmed both the Directory Email Replication and Domain Controller Authentication certificates were trying to autoenroll but failing every 8 hours.

A search for "cannot find the requested object" quickly resolved that, pointing the way to http://support.microsoft.com/kb/968730.

After requesting the hotfix and rebooting, AutoEnroll properly processes the request again, and SSL enabled LDAP connections are restored.

More information is also available on the Windows PKI Technet Blog: http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

The problem with Server Core … there’s no way for you to see the “updates to install” notice in the system tray when you log on to the computer because, well, there’s no systray!

In comes a handy piece of VBscript that allows you to do a manual quick check and start off the installation process, using the in-box Windows Update Agent API.
http://msdn.microsoft.com/en-us/library/aa387102(VS.85).aspx

Although the MSDN article states it does not run against SUS 1.0 servers, you don’t have to worry because both Windows Update (site) and WSUS 3.x employ the WUA API.

Save and run the script in the command prompt as “cscript ” since the default script host is graphical (wscript) on a Core box.

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
 
WScript.Echo "Searching for updates..." & vbCRLF
 
Set searchResult = _
updateSearcher.Search("IsInstalled=0 and Type='Software'")
 
WScript.Echo "List of applicable items on the machine:"
 
For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & update.Title
Next
 
If searchResult.Updates.Count = 0 Then
WScript.Echo "There are no applicable updates."
WScript.Quit
End If
 
WScript.Echo vbCRLF & "Creating collection of updates to download:"
 
Set updatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
 
For I = 0 to searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> adding: " & update.Title 
    updatesToDownload.Add(update)
Next
 
WScript.Echo vbCRLF & "Downloading updates..."
 
Set downloader = updateSession.CreateUpdateDownloader() 
downloader.Updates = updatesToDownload
downloader.Download()
 
WScript.Echo  vbCRLF & "List of downloaded updates:"
 
For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    If update.IsDownloaded Then
       WScript.Echo I + 1 & "> " & update.Title 
    End If
Next
 
Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")
 
WScript.Echo  vbCRLF & _
"Creating collection of downloaded updates to install:" 
 
For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
       WScript.Echo I + 1 & "> adding:  " & update.Title 
       updatesToInstall.Add(update) 
    End If
Next
 
WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
strInput = WScript.StdIn.Readline
WScript.Echo 
 
If (strInput = "N" or strInput = "n") Then 
WScript.Quit
ElseIf (strInput = "Y" or strInput = "y") Then
WScript.Echo "Installing updates..."
Set installer = updateSession.CreateUpdateInstaller()
installer.Updates = updatesToInstall
Set installationResult = installer.Install()
 
'Output results of install
WScript.Echo "Installation Result: " & _
installationResult.ResultCode 
WScript.Echo "Reboot Required: " & _ 
installationResult.RebootRequired & vbCRLF 
WScript.Echo "Listing of updates installed " & _
"and individual installation results:" 
 
For I = 0 to updatesToInstall.Count - 1
WScript.Echo I + 1 & "> " & _
updatesToInstall.Item(i).Title & _
": " & installationResult.GetUpdateResult(i).ResultCode 
Next
End If

It looks like a ‘nice to have’ feature for the ubertweaker and enthusiast at first, but think about this:

What if you need to support a DTA environment for desktops? Now, you don’t have to mess around with Virtualization software – just provision and deploy the VHD file with the appropriate configuration (such as a segmented VLAN for Test or Dev) and let your application developers use the same hardware.
No double PCs, no double network outlets, no extra poweroutlets or powerconsumption (think green here).

Sure, it needs some tweaking (preventing disk access between images) but.. tempting nonetheless…