- Editor's Corner
- From the Mailbag
- PKI Potpourri
- Tip of the Week
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Federal Cloud Integration: Getting from Here to Where You Want to Be
- This Week's Webcasts
- Register for Webcasts
- HP ProLiant Gen8 Tech Day 1 – Customer Inspired Innovation
- Evolving the Start menu
- Group Policy Settings Reference for Windows and Windows Server
- Connect your Android device to SkyDrive with OneNote and other apps
- Quick Rule Creation in Outlook 2010
- DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?
- How to Hold a Confidential Print Job at a Shared Printer
- An open dialog on open source cloud
- Getting users involved in VDI testing
- VDI project pilot guide
- Streamlining multi-hypervisor management with ease
- This Week's Links We Like. Fun Stuff.
- Your dedicated spam filtering appliance in the cloud
SAVE THIS NEWSLETTER so you can refer back to it later for tips, tools and other resources you might need to do your job or troubleshoot some problem you're dealing with. And please feel free to FORWARD IT TO A COLLEAGUE who you think might find it useful. Thanks!
From the Mailbag
In the May 14 issue Printing Pitfalls we included a few tips about printing in mixed environments such as x64/x86, Win7/XP, etc. A reader named Ray sent us the following story that highlights the kind of difficulties administrators sometimes face in such situations:
We recently spend a great deal of time struggling with printing issues recently when we installed our first 64-bit Windows 7 workstations. As you said, there's no problem adding 64-bit drivers to 32-bit print servers with one caveat; printers for which the manufacturer does not provide 64-bit drivers. We ran into this issue specifically on many HP LaserJet printers—and not just old ones either. Even printers we'd only had for a year or two only offered the HP Universal Print driver as an option for 64-bit operating systems.
We dutifully followed the procedure to install the UPD for 64-bit on our print server and attempted to associate it with the printers but continually failed, receiving an error that an appropriate print driver for the x86 operating systems was not found. We finally, after much experimentation, were able to figure out that point-and-print only works for 32 and 64-bit drivers on the same printer if the driver identity is the same. This particular issue was not documented anywhere that I could find on Microsoft's or HPs websites. The solution was to assign the UPD to our printers for both 32 and 64-bit operating systems. This allowed us to install both drivers and now both 32 and 64-bit clients can install printers from the print server, after much frustration and cursing of course.
This issue illustrates a problem I run across frequently as a network administrator. I find that more and more these days, documentation is often lacking in changes and updates to software and hardware. Problems like the printing issue stated above must have been understood by the engineers writing the OS and the drivers but nowhere was it documented that the driver name had to be the same for both OS types. It was just assumed that administrators would know—which works great until two totally different driver options are available for the same printer and OS combination (32-bit). If it weren't for the Internet discussion/gripe sites I'd have dozens of similar issues that would still remain unsolved.
Got more tips, gotchas or stories about printing in Windows environments? Email us at [email protected] so we can share them with readers of WServerNews.
Have you ever had to deal with digital certificate issues on Windows computers or deploy a Public Key Infrastructure (PKI) running on the Windows Server platform? This week's issue is a potpourri of different tips and gotchas centered around topics relating to Windows PKI. But before we begin, check out the following XKCD comic that explains WHY ALICE WAS JEALOUS CONCERNING BOB'S ALLEGED AFFAIR WITH EVE:
Hint for infosec newbies: Eve = eavesdropper
Can you install an Enterprise CA on a DC?
Yes. Should you? No!! Here are some reasons why you should NEVER install your organization's Enterprise Certificate Authority on a domain controller in your environment:
- All members of the Domain Admins group will have management rights over your root CA. Because your root CA is the foundation of digital security throughout your organization, you want to restrict the right to manage your CA to as few people as possible.
- You won't be able to rename your domain controller if it has the CA role installed on it. This might not affect you now, but it might in the future if you need to upgrade your environment or merge with another company.
- If you need to retire your domain controller, for example if it's older hardware and you're migrating to a newer version of Windows, the process for moving the CA to another server can be complicated.
- Installing the CA role on a domain controller will make it harder to restore the domain controller if it fails or becomes corrupted.
- If you also install IIS on your domain controller for web-based certificate management, then you'll need to open more firewall ports on your domain controller which can make your domain controller more vulnerable to attack.
Of course, if you're just building a small test network then it's probably OK to install your root CA on your DC.
Can you move an Enterprise CA between two forests?
Yes, but it's very complicated. The post below from the Windows PKI Blog explains some of what's involved, but your best bet is to engage Microsoft Support to walk you through the process:
How should you secure and maintain an Offline CA?
Since the root CA is at the top of your PKI and is self-signed, you want to do everything you can to secure and maintain it. A good practice is to keep your root CA offline so it's never connected to your corporate network and follow best practices to secure and maintain it. Specifically, this article from the TechNet Wiki provides some guidance concerning securing Offline CAs:
And this article explains how to properly maintain your Offline CAs:
Can you deploy PKI using PowerShell?
Yep. Check out the following PowerShell script by Vadims Podans, a Microsoft Most Valuable Professional (MVP) based in Latvia:
For more tips on how to manage Windows PKI using PowewrShell, see Decrypt My World, the blog of Alejandro Campos Magencio who works as an Escalation Engineer for Microsoft Customer Service & Support in Spain:
And here's a link to the PKI PowerShell module on CodePlex:
Where can I find root certificate updates?
Microsoft releases updates for root certificates for Windows operating systems on their Windows Update site and Windows Vista and later automatically download and install new root certificates with no user intervention needed, for example when an application you run is presented with a certificate issued by a CA that is not trusted by any of the installed root certificates on your computer. This automatic updating of root certificates can also be turned off using Group Policy as this TechNet page explains:
If desired you can also download root certificates updates directly from the Microsoft Update Catalog site here:
You might do choose to do this for a couple of reasons, for example:
- If automatically updating root certificates has caused problems in the past, and you instead want to manually update your Windows computers using Windows Server Update Services (WSUS).
- If you are deploying new Windows 7 computers using a somewhat old reference image, you could download the latest root certificate update, use the Deployment Image Servicing and Management (DISM.exe) tool to apply the update (.msu file) to the offline image (.wim file), and then deploy the reference image to your target computers which will then have the latest root certificates installed in their local certificate store.
To download root certificates updates from the Microsoft Update Catalog, simply go to the page linked to above, type root certificate updates in the Search box and press Enter, then click Add to add the update you want to download to your basket. When you're finished adding updates, click View Basket and then click Download. For more information about an update, click on it to display the Update Details page for the update, then click the support link under More Information to open the Microsoft Knowledge Base article for the update.
For help on how to apply an update to a Windows image using Dism, see this MSDN article:
Also see Part 2 of my series Deploying Windows 7 on WindowsNetworking.com for more info on using Dism:
Share your expertise!
Got any tips, gotchas or stories to share with our readers concerning deploying and managing a Windows Server PKI solution, managing root certificates on Windows computers, or any other related topics? Send them to us at [email protected]
Tip of the Week
Here's a quick tip on how to restart a service when a specific event is logged in the event logs. Let's say for example that you want to restart a service such as the SQL Server service when an event with a specific event ID is logged in the Windows event logs. You can do this as follows:
- Open Event Viewer and navigate to the log that contains the event you want to associate with a task.
- Right-click the event and select Attach Task To This Event.
- Walk through the Create Basic Task Wizard to create the new task.
- Create a simple batch file with sc stop service_name and sc start service_name.
- Open the task you just created and edit it to make the action performed by the task to be running the batch file.
- Edit the task to specify the event ID needed to trigger the task.
- Save the changes to the task.
Got any tips to recommend to our readers? Let us know at [email protected]
Recommended for Learning
This week we have a couple of books on Windows security forensics from Syngress:
Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 (Syngress) is the third edition of this popular digital forensics book, which demonstrates in detail how you can extract user activity data from computers running Windows 7 and earlier versions. Unlike many books that have been updated for Windows 7, the author of this title has taken care to make sure new features of Windows 7 are thoroughly covered. The writing style is also lively and entertaining, which makes the book easy to learn from. Strong recommend for Windows security enthusiasts.
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry (Syngress) is a companion volume to the previous title and demonstrates how to find and analyze evidence within the registry using various tools and procedures. The book includes some detailed case studies plus a CD with some Perl scripts the author has written.
Quote of the Week
"If you are not passionate about your work, every day will be a Monday." --Dana Epp, an IP pro based in Vancouver, Canada
That insightful quote was taken from Dana's Facebook page at:
Dana is a partner at Scorpion Software, a company that provides robust password management, two-factor authentication (2FA) and single sign-on (SSO) solutions for IT Service Providers and IT departments of small to midsized businesses. I highly recommend their company blog, especially Dana's ongoing video series titled Crack the Cred:
Until next week,
Admin Tools We Think You Shouldn't Be Without
Register for a SpamTitan on-line demo, 99.97 % plus catch rate, double AV, affordable price.
New Top 10 free tools for IT pros. Audit changes in AD, GPO, file servers and mailboxes; manage passwords and event log; monitor processes; etc.
Download a free, fully functioning 30-day trial of Patch Manager from SolarWinds and leverage your existing WSUS and System Center Configuration Manager (SCCM) deployments.
Using Microsoft Hyper-V? Altaro Hyper-V Backup Freeware Edition is an easy to use Hyper-V aware backup solution. Watch YouTube Video.
Mount and analyze ISO, VHD and other files using this free tool:
Mount downloaded ISOs of CD/DVD images using this free tool:
- Microsoft TechEd North America 2012 on June 11-14, 2012 in Orlando, USA:
- Microsoft Worldwide Partner Conference on July 8-12, 2012 in Toronto, Canada:
- VMworld 2012 on August 27-30, 2012 in San Francisco, USA:
- Microsoft SharePoint Conference 2012 on Nov 12-15, 2012 in Las Vegas, USA.
- Microsoft TechEd Europe 2012 on June 26-29, 2012 in Amsterdam, Netherlands:
- VMworld 2012 on October 9-11, 2012 in Barcelona, Spain:
- Microsoft Australia Partner Conference 2012 on Sept 4-6, 2012 in Brisbane, Australia:
Add your event
Contact Michael Vella at [email protected] to get your conference or other event listed in our Events Calendar.
Federal Cloud Integration: Getting from Here to Where You Want to Be
In this session, attendees will learn how solutions such as VMware vCenter Operations, vCenter Orchestrator, and other solutions that enable Federal agencies to leverage existing investments in their evolution to the cloud.
This Week's Webcasts
- Tuesday June 5 - TechNet Webcast: Bare Metal to Private Cloud (Part 3 of 8): Clustering Hyper-V and Installing a Highly Available Virtual Machine Manager Cluster (Level 200)
- Thursday June 7: TechNet Webcast: Bare Metal to Private Cloud (Part 3 of 8): Clustering Hyper-V and Installing a Highly Available Virtual Machine Manager Cluster (Level 200)
- Friday June 8 - TechNet Webcast: The Baker's Dozen: What's New in SQL Server 2012 (Part 12 of 13)—What's New in SQL Server 2012 Reporting Services Integration with SharePoint 2010 (Level 200)
Register for Webcasts
Add your Webcast
Contact Michael Vella at [email protected] to get your webcast listed in our Webcasts Calendar.
HP ProLiant Gen8 Tech Day 1 – Customer Inspired Innovation
From Hyper-V.NY comes some insights from HP for server and storage admins:
Evolving the Start menu
Get used to it: the old Start menu isn't coming back. From the Building Windows 8 blog a few months back if you haven't read it yet:
Group Policy Settings Reference for Windows and Windows Server
Now includes Windows Server 8 Beta and Windows 8 Consumer Preview:
Connect your Android device to SkyDrive with OneNote and other apps
From the Windows Blog comes this walkthrough on how to make your files automatically available across Windows devices while also being accessible on Android devices:
Quick Rule Creation in Outlook 2010
A quick tip from the Outlook Blog for heavy email users, especially if you subscribe to a lot of mailing lists:
DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?
The Ask Premier Field Engineering (PFE) Platforms blog shows us how to use Windows PowerShell to configure Microsoft DHCP servers to dynamically register A and PTR records in DNS on behalf of DHCP clients:
How to Hold a Confidential Print Job at a Shared Printer
An oldie but still a goodie: a printing tip from 404 Tech Support:
Windows Server News
An open dialog on open source cloud
Open source cloud software has its share of advantages and downsides. In this expert tip hear from industry analyst Bill Claybrook as he discusses the market, what companies of all sizes should consider when looking to build an open source cloud and which vendors have the most influence at the moment.
Getting users involved in VDI testing
Now that you have your VDI project under way, you need to test the deployment's performance. VDI testing should involve one of the most important parts of your project: the users who will actually be using the virtual desktops.
VDI project pilot guide
There's a first time for everything. For your VDI pilot project, consider product options, know what to avoid and learn from the success -- and failure -- of others. Access this VDI project pilot guide to ensure a successful implementation.
Streamlining multi-hypervisor management with ease
As the number of heterogeneous virtualization environments continues to rise, so does the need for multi-hypervisor management tools and skills. Now, more than ever, it would be wise for virtualization administrators to learn how to manage and troubleshoot multiple virtualization platforms. Learn how in this featured tip.
WServerNews FAVE Links
This Week's Links We Like. Tips, Hints And Fun Stuff
Got $259,500? How about an amphibious sports car:
How to create infinite energy using the “Buttered Cat Paradox” - Toast always falls on the buttered side and cats always land on their feet:
Don't watch this if you are afraid of heights! The bridge to Russky Island will be the world's largest cable-stayed bridge with a total length of 10,200 ft when it opens in June 2012:
An entirely new way to interact with your computer - more accurate than a mouse, as reliable as a keyboard and more sensitive than a touchscreen:
Honda re-invented the wheel with its battery-powered, two-wheeled mobility device that allows the rider to control speed, move in any direction, turn and stop, all simply by shifting his or her weight:
The amazing "The Baronton Sisters" from France perform on The Ed Sullivan Show on February 2, 1969:
WServerNews - Product of the Week
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.