Set the DSConfigDN for Standalone Root CAs
Are you setting up a new PKI implementation in your organization? Are you using a Standalone Root CA with an Enterprise Subordinate CA? If so, don’t forget to properly set the DSConfigDN attribute for your Standalone Root CA (since it can’t read or write in AD!). If you do forget to do this and then you install your Enterprise Subordinate CA…well, you’ll be unhappy and end up having to uninstall and then reinstall that Enterprise Subordinate CA after making this change or reissue it’s certificate after making this change. (honestly, the uninstall and reinstall is a cleaner approach if you need to fix this problem).
To properly set the DSConfigDN attribute on the Standalone CA:
- From an administrative command prompt, enter the following command to set the Configuration container DN for the Root CA.
certutil -setreg ca\DSConfigDN “CN=Configuration,DC=mycompany,DC=local” - You should get the following output back:
- SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ROOTCANAME\DSConfigDN:
- NewValue: DSConfigDN REG_SZ = CN=Configuration,DC=mycomapny,DC=local
- CertUtil -setreg command completed successfully.
- The CertSvc service may need to be restarted for changes to take effect.
- Stop and then start the Active Directory Certificate Services service as required. This can be done from the command prompt, the Services console or the CA console.
The change looks like that seen in the figure below when viewed in the Registry Editor.
Adding 32-bit print drivers to 64-bit print server
This is one of those issues that I just can’t figure out why Microsoft did not include both 32-bit and 64-bit print drivers on the media for Windows Server 2008. Or maybe as a download pack or something. The trend is definitely to use 64-bit servers (no other choice if you’re using Windows Server 2008 R2 or newer), but many client workstations are going to be 32-bit for years to come. Anyhow…if you have a 64-bit print server and need those 32-bit print drivers, see below. (Or vice versa, 32-bit print server serving up print queues to 64-bit workstations).
Step 1: Share a print queue out on the 64-bit print server
- Login with local administrative permissions to the Windows Server 2008 64-bit print server.
- Add a new printer, name it, share it, add to the directory, etc. (You should be using the Print Management Console to manage your printers!)
At this point you have a new shared print queue with 64-bit drivers.
Step 2: Add the 32-bit drivers
- Login with local administrative permissions to a Windows Server 2008 32-bit server. (For best results always use the EXACT SAME OS VERSION AND SP LEVEL here, though you can possibly do this from a fully up to date Windows 7 or Windows Vista workstation)
- Browse to the 64-bit print server by UNC path, i.e. \\PrintServer.
- Click on the Printers folder (or just include that in your UNC path above).
- Right-click a shared printer and select Properties from the context menu.
- Click on the Sharing tab.
- Click the Additional Drivers button.
- Check the x86 Type 3 - User Mode box.
- Click OK, install the drivers.
- Close all open windows.
Done.
Adapted from TechNet social discussion.
Windows Update error 80072F78 in Windows Server 2008
Although I haven’t actually found the exact cause (and thus the solution), I’ve run across problems using Symantec Endpoint Protection (i.e. Symantec Corporate 11.0) on Windows Server 2008. It seems that something in the protection configuration in the Symantec product is blocking Windows Updates. You’d get the error code 80072F78 and no updates.
Uninstalling version 11 and moving back to version 10.2 allows Windows Updates to be performed again, although I’m not sure yet what the real issue is or how to fix it. Anyone else run across this?
Update 2/20/2009: This may be the solution, though I’ve not tried it.
-
Translator
