Rolling out a certificate authority in Windows 2003 and Windows 2008 is a relatively trivial task if you are deploying a stand-alone CA, Enterprise CA’s are a bit more complex, but that’s a post for another day. The web interface (http://server.domain.local/certsrv/) is pretty limited and doesn’t provide the greatest interface for manually requesting certificates, it even relies on cookies for managing requests. It would be really nice to see Microsoft build this into a truly useful application like what you get with the Thawte Certificate Center.

One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.

This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.

To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.

More information and a download link is after the break…
Read more…

While browsing Newegg looking for some hardware, I came across an issue where the images on their site were not loading.  I couldn’t figure out exactly what was going on since it wasn’t a browser cache issue, and it didn’t seem to be a DNS issue, at least not on my workstation anyway.  After doing a little digging, I tried clearing the DNS cache on our DNS server and everything came up and the images started loading again fine.

Over the course of the last three months this happened a few times, not only for Newegg but for other sites as well, mostly in the .co.uk TLD though.  This happening once was easy enough to dismiss, even happening a second time, ok, but after a third time, there had to be some other underlying issue.  Fortunately, Microsoft released a KB article that explains what is going on and how to get around the problem.  You can read all about it here: http://support.microsoft.com/kb/968372

What is happening is basically that root hints are not updating on the DNS server and SERVFAIL is getting returned to the client requesting the DNS lookup.  This can cause pages to not load on certain domains, including but not limited to .co.uk, .cn, and .br, as well as certain .com’s that I have seen.  Fortunately the fix is easy enough; you can either configure forwarders or simply tweak the TTL of the root hints on your server.  I’m not going to get into the debate of which is better, root hints or forwarders; but for those of you using forwarders this problem will not affect you, and for those of you using root hints, below is a very easy set of commands you can run to fix the problem.

Launch an elevated command prompt and execute the following commands.  This will stop your DNS server, add the Microsoft recommended registry value, and start DNS back up again.

NET STOP DNS
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v MaxCacheTTL /t REG_DWORD /d 0x0002a300
NET START DNS