Thursday, December 29, 2016

Windows Server 101 (Free eBook)

I just saw that a colleague Brian Svidergol (@bsvidergol) has released a free ebook, named Windows Server 101, about the basics of Windows Server. I've worked with Brian on several projects and he knows his stuff.

If you are new to working with Windows Server or want to brush up on the basics, I suggest you check it out:

Wednesday, December 21, 2016

Certificate Template Versions and Autoenrollment

Certificate templates for Active Directory Certificate Services (AD CS) have multiple values related to versioning. In the Certificate Templates console, you can see two versioning attributes:
  • Schema Version - This defines the options available in a Certificate Template. If you search for information about certificate template versions (such as https://technet.microsoft.com/en-us/library/cc725838(v=ws.11).aspx), the reference to different versions is the schema version. These schema versions are consisten across Windows servers.
  • Version - This number is unique for your AD CS implementation. When you modify the template, this version number is incremented.
Byron Web Server template: Schema Version 2, Version 100.3

The version number for your certificate templates is composed of a major version number and a minor version number. In this example:
  • Major version: 100
  • Minor version: 3

When you make any edit to a certificate template, the minor version number is incremented. Even minor edits such as changing the security configuration for the certificate template increment the minor version number. This number is primarily for your own auditing purposes to identify that a change has been made. Incrementing the minor version number has no immediate impact on clients using autoenrollment.

When you right-click a certificate template and select Reenroll All Certificate Holders, the major version number is incremented and minor version number is reset to zero. Clients using autoenrollment see that major version has been incremented and renew their certificate using the updated certificate template.

If you use ADSIedit to view the properties of a certificate template, you can see the major and minor version numbers stored as the following attributes:
  • revision
  • msPKI-Template-Minor-Revision

If you manually edit the revision attribute and increment the value, it will trigger an update for autoenrollment clients just as if you had selected the Reenroll All Certificate Holders option in the Certificate Templates Console.

On the client side, autoenrollment is triggered by a scheduled tasks in \Task Scheduler Library\Microsoft\Windows\CertificateServiceClient. The triggers for enrollement are:
  • SystemTask (for computer certificates): At startup, repeat every 8 hours
  • UserTask (for user certificates): At sign in, repeat every 8 hours

If you are testing, you can manually run these tasks rather than restarting the computer or signing out and signing back in.

Friday, December 2, 2016

Unable to Start Data Collector Set

I was wanting to collect some performance information on a Windows 2008 R2 domain controller. One of the things you may not realize is that Windows Server includes some predefined data collector sets for common tasks and generates reports based on the data. Since I was having a performance issue on the DC, I wanted to run the Active Directory Diagnostics data collector set.

Built-in data collector sets

When I attempted to start the Active Directory Diagnostics data collector set (or any of the other predefined data collector sets), they didn't start. There was no error message or any indication of what the error might be.

Ultimately my workaround was to create a new data collector set with the same settings. Fortunately, when you create a new data collector set, one of the options is to create from a list of templates, which includes Active Directory Diagnostics. The new data collector set ran without any issues.
Selecting a template for a data collector set