While waiting for a new hardware setup I decided to jump the gun and upgrade my old 2003CA to 2008 in advance – a pretty straightforward process of decommissioning and deploying a new CA on a fresh 2008 install.  Both my Home Theatre setup and laptop are running Vista or 7, and there’s a virtualized Core 2008 Domain Controller as well. No problems there.
However, there is still one slight snag as I’m still using a 2003 machine as second physical DC (which hosts my DFS namespace and I haven’t gotten around to upgrading that one).
After a couple of days, that machine started spewing Event ID 13 errors every eight hours in the Application log:

Event Type:    Error
Event Source:    AutoEnrollment
Event Category:    None
Event ID:    13
Date:        28-2-2011
Time:        18:14:37
User:        N/A
Computer:    MYDC
Description:
Automatic certificate enrollment for local system failed to enroll
for one Domain Controller Authentication certificate (0x80092009).
Cannot find the requested object.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Secure Channel for LDAP over SSL also breaks because of this, so you’ll see those warnings as well.

A quick look in the ADCS Snapin confirmed both the Directory Email Replication and Domain Controller Authentication certificates were trying to autoenroll but failing every 8 hours.

A search for "cannot find the requested object" quickly resolved that, pointing the way to http://support.microsoft.com/kb/968730.

After requesting the hotfix and rebooting, AutoEnroll properly processes the request again, and SSL enabled LDAP connections are restored.

More information is also available on the Windows PKI Technet Blog: http://blogs.technet.com/b/pki/archive/2011/02/08/common-questions-about-sha2-and-windows.aspx

The problem with Server Core … there’s no way for you to see the “updates to install” notice in the system tray when you log on to the computer because, well, there’s no systray!

In comes a handy piece of VBscript that allows you to do a manual quick check and start off the installation process, using the in-box Windows Update Agent API.
http://msdn.microsoft.com/en-us/library/aa387102(VS.85).aspx

Although the MSDN article states it does not run against SUS 1.0 servers, you don’t have to worry because both Windows Update (site) and WSUS 3.x employ the WUA API.

Save and run the script in the command prompt as “cscript ” since the default script host is graphical (wscript) on a Core box.

Set updateSession = CreateObject("Microsoft.Update.Session")
Set updateSearcher = updateSession.CreateupdateSearcher()
 
WScript.Echo "Searching for updates..." & vbCRLF
 
Set searchResult = _
updateSearcher.Search("IsInstalled=0 and Type='Software'")
 
WScript.Echo "List of applicable items on the machine:"
 
For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> " & update.Title
Next
 
If searchResult.Updates.Count = 0 Then
WScript.Echo "There are no applicable updates."
WScript.Quit
End If
 
WScript.Echo vbCRLF & "Creating collection of updates to download:"
 
Set updatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
 
For I = 0 to searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    WScript.Echo I + 1 & "> adding: " & update.Title 
    updatesToDownload.Add(update)
Next
 
WScript.Echo vbCRLF & "Downloading updates..."
 
Set downloader = updateSession.CreateUpdateDownloader() 
downloader.Updates = updatesToDownload
downloader.Download()
 
WScript.Echo  vbCRLF & "List of downloaded updates:"
 
For I = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(I)
    If update.IsDownloaded Then
       WScript.Echo I + 1 & "> " & update.Title 
    End If
Next
 
Set updatesToInstall = CreateObject("Microsoft.Update.UpdateColl")
 
WScript.Echo  vbCRLF & _
"Creating collection of downloaded updates to install:" 
 
For I = 0 To searchResult.Updates.Count-1
    set update = searchResult.Updates.Item(I)
    If update.IsDownloaded = true Then
       WScript.Echo I + 1 & "> adding:  " & update.Title 
       updatesToInstall.Add(update) 
    End If
Next
 
WScript.Echo  vbCRLF & "Would you like to install updates now? (Y/N)"
strInput = WScript.StdIn.Readline
WScript.Echo 
 
If (strInput = "N" or strInput = "n") Then 
WScript.Quit
ElseIf (strInput = "Y" or strInput = "y") Then
WScript.Echo "Installing updates..."
Set installer = updateSession.CreateUpdateInstaller()
installer.Updates = updatesToInstall
Set installationResult = installer.Install()
 
'Output results of install
WScript.Echo "Installation Result: " & _
installationResult.ResultCode 
WScript.Echo "Reboot Required: " & _ 
installationResult.RebootRequired & vbCRLF 
WScript.Echo "Listing of updates installed " & _
"and individual installation results:" 
 
For I = 0 to updatesToInstall.Count - 1
WScript.Echo I + 1 & "> " & _
updatesToInstall.Item(i).Title & _
": " & installationResult.GetUpdateResult(i).ResultCode 
Next
End If

Well, yes. I want to, it’s already stored on my network. I put it there. In fact, I already unblocked the content when I downloaded the file.

But still I get a blank page in the Helpfile:

So let’s go check the KB Article page to see what we can do.

Ah. While there is a helpful section explaining the registry keys needed to Make Things Work again regeditting manually is not everyones favourite pastime:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000001
"UrlAllowList"="\\\\alt-92.net"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001
"UrlAllowList"="\\\\alt-92.net"


No, the double \\ are no mistake. You need to escape backslashes.

Now repeat for every computer. Wash, rinse, repeat.

Time to get busy.
Using GPOs seems a likely solution. In fact, the KB article references GPO’s but in a very nasty way.
So why not use Vista’s new GPO Preferences?

To start off, create a new GPO (appropriately named GP_HTMLHelpFix ).
Dig down into the Computer Configuration tree, until you reach Preferences> Windows Settings > Registry.

Create new entries for the values needed:

You can use the UrlAllowList setting to enter DFS roots or local intranet domain.

After linking the Computer GPO to the proper OU and doing a gpupdate, you should see the results in the Registry Editor:

The above approach works in most cases. Except.. it’s still not working.

As it turns out, I not only need to configure the registry keys, but also need to properly configure Internet Options to include the namespace in the local Intranet Zone.
Apparently, there is a problem in IE7 listed in MSKB article 941001.

If you configure a policy setting to a value other than the default value, a local site may appear as “Local Intranet” even though you expect it to appear as “Internet,” or vice versa.

The default settings which should work but don’t:

So let’s tick off Autodetect, tick “Include all Network paths (UNCs)” since a drivemapping is also UNC..

Click Advanced, and enter the domain as a file://-based UNC path..

Re-tick autodetect, with the settings enabled and ‘Ok’ your way though.

Import these settings in the appropriate GPO object to control IE settings if you have them.

Bonus: Use a WMI filter to exclude or include the operating systems you wish to apply these settings to. The Filter shown ensures the GPO only applies to XP desktops and Vista RTM or SP1 desktop machines, and not to any 2000 Pro or 2003 Server machines that inadvertently stray out of their OU.

By the way:

It worked!

Here’s why.

http://support.microsoft.com/kb/320246/en-us