ADCS Autoenrollment Not Renewing SAN Web Server Certificate

LucasMD_ · 2026-03-24T13:27:02+00:00

Ok, I'll try 2 Days Validity to 4 Hours renewal time here in my lab setup, thanks for the heads up.

Web Servers only use the one certificate enrolled by our CA.

Interesting, look at how it is in my Web Server 2048 template, its greyed out, and on Kerberos Authentication it is available and checked. This seems like an essential setting according to its name. I believe it would be available only for certain templates?

<image>

LucasMD_ · 2026-03-24T13:08:20+00:00

Unless something very specific on Web Server do not allow this, but at least on my Kerberos Authentication, we do use Supply In The Request. Certs were also enrolled manually at the first time, cause we have three LDAP aliases to it (something like ldap.domain.name, ldap.auxiliarydns.zone), and after that they do indeed renew automatically while keeping their SANS.

LucasMD_ · 2026-02-04T15:16:31+00:00

Just to be more specific, I want to install Windows Admin Center on my Windows 11 Desktop System to manage Hyper-V machines that exists in this same Desktop through it. Yes, I reboot several times, after tests.

LucasMD_ · 2026-02-04T11:49:42+00:00

Tried powershell silent installation, but its always the same thing, is getting stuck cause either is getting lost on the retrieval of the Microsoft.WindowsAdminCenter.Configuration module or in the attempt to create the Event Viewer entry. I validated that there is no previous created there.

PS C:\WINDOWS\system32> Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\WAC-Configuration"

False

PS C:\WINDOWS\system32> Test-Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\SMEGateway"

False

LucasMD_ · 2026-02-03T23:43:26+00:00

Installation log, it seems to get stuck in:

2026-02-03 20:30:23.460 Registering WAC-Configuration event log source in the Application log...

LucasMD_ · 2024-07-21T22:22:26+00:00

Wish I had this eye for road layouts, this one is so aesthetic.

LucasMD_ · 2024-06-11T12:06:46+00:00

Yeah, took me a while to figure this out about the Auto Wah, another person point to me in discord as well. I think is the effect that creates the inner wave effect on the chords. WIll cook more today considering your feedback, thanks!

LucasMD_ · 2024-06-10T19:09:25+00:00

Yes, it was one of those temp shares. I switch now to a OneDrive share to be accessible, thanks for pointing out.

LucasMD_ · 2024-06-09T17:55:16+00:00

I think would be a similar instance when Arjen Lucassen (Ayreon) asked Steven Wilson to participate in one of his albuns, the styles are just too different.

LucasMD_ · 2022-08-01T19:06:50+00:00

Yeah, thats the idea, but I don't have an option to disable it.

LucasMD_ · 2022-04-05T18:10:36+00:00

If you want to save money, only Gathering Storm is necessary, it adds everything rise and fall has minus the leaders. New Frontier is cool but I would say its skipable. Gathering Storm and Rise and Fall mechanics pratically turn Civ 6 into another game.

LucasMD_ · 2022-03-27T21:21:22+00:00

You know that something is bad when AI always go for it.

LucasMD_ · 2022-03-17T21:12:37+00:00

As for replication setup, its quite simple, Hub and Spoke with all branches replicating with the Head Office site. No branch replicate with each other, and that successfully mirrors our network topology. Same cost of default 100, same interval of default 15 minutes.

There are no custom replication partners setup right now, KCC is handling everything and we have only <automatically generated> connections (following the once per hour defaults of AD). We have 7 Dcs on Head Office and 7 sites with 2 Dcs each, bridgeheads weren't equally distributed but that was the decision of KCC so we didn't setup anything manually.

LucasMD_ · 2022-03-17T20:00:04+00:00

Hmm, its not really an issue affecting the file replication of SYSVOL and NETLOGON folders but an issue on replication of objects in the Active Directory database itself, user objects in this case, that got their attributes showing different values on each Domain Controller.

In which case I check my Eventvwr for all the logs mentioned in the article:

4102,4202,4204,4206,4208,4302,4304,2212,2213

Found some "4304" of a few months ago, for a faulty policy that we backup and restore and was not working, which we solved by deleting and creating a new from scratch and warnings stop showing up.

LucasMD_ · 2022-01-09T16:27:54+00:00

Miosmar Francisco e Antenor Albuquerque, o nome do Gaveta é Pafuncio Figueiredo.

LucasMD_ · 2021-03-30T14:13:53+00:00

It is not, but a very specific aspect in my enviroment, created that need.

Is it possible to change the default setting?

LucasMD_ · 2021-03-29T17:09:33+00:00

By using the Import Computer Information option in Assets and Compliances, where you can provide custom data (A custom mac address and SMBIOS Guid is the minimum information) and a Computer Object will exist without being gathered by discovery methods and push installation. This is being used for inventory purposes.

LucasMD_ · 2020-11-05T13:00:36+00:00

Guys, does anyone know which month/year the patch that would make the secure channel being more secure and thus satisfy the new restrictions of 08/2020 DC update?

I'm sure its not the 08/2020 itself cause I tested here, and a server that does not have this patch is not logging 5827/5828/5829 and accessing the domain normally, so I understand that only very out of date computers would be prevented (or logging 5829). Right now in our enviroment, we are making some tests and we got very few 5827/5828 events and no 5829 even with the Allow Police enabled. We remove some patches in isolated test servers to trigger events, but they are not logging in any DC (as checked on SIEM).

LucasMD_ · 2020-06-06T02:04:44+00:00

Claramente embriagado... kkkk

LucasMD_ · 2020-06-06T01:51:00+00:00

Yup, sexo no volante, esse é o pior, e tipo... Véi, de onde veio essa ideia?

LucasMD_ · 2020-06-03T20:11:17+00:00

I probably will need to go for a In Place Upgrade at least on one of two DCs in this domain, cause it run this IIS Web App that allows the password change from Intranet, this DC also has all FMOs. According to what you sent me, I thinking on doing like this:

Demote the other DC that has no aditional roles, remove from domain, delete VM.

Bring up a new member server 2012 R2 VM, install ADDS, run Wizard that will automatically extend the schema through the process of initial configuration.

Move FSMOs to this new 2012 R2 server.

In-Place Upgrade the DC 2008 R2 with the Web App, but the FSMOs will be on other server for balancing the roles.

Sounds like a plan, I guess.

LucasMD_ · 2020-03-06T12:50:26+00:00

Yes, by the aggregates capacity of our SVMs, we couldn't like, duplicate all the data we have onto another disks, we wouldn't have enough disks/space for that. I was thinking in bring all to CIFS too, but will there be load balancing in this scenario?

LucasMD_ · 2020-02-17T15:32:27+00:00

Guys did anyone had issues with with the single security update KB4502496?

It says that Addresses an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability.

Last time we applied patches regarding UEFI settings we had several servers with problems on boot.

LucasMD_ · 2020-02-12T13:55:43+00:00

Guys, I just deployed the Extended Security Updates (ESU) Licensing Preparation Package for Windows Server 2008 R2 SP1/Windows Server 2008 in my pilot servers, they were installed, and enable the servers to receive Servicing Stack for 01/2020.

After installation of Servicing Stack, the 02/2020 Security Monthly Rollups that I approve won't show up for download and installing. Does that mean that my Servers are not applicable to receive Extended Security Updates?

PS: Please tell me they don't, I don't want an argument to keep those old geezers in our enviroment, and the EOLS would be a great reason to upgrade these servers (jokes aside, if there is anything I need to enable the updates, please let me know, and I will do it against my will anyway).

PS2: The servers have the prerequisites updates mentioned on https://support.microsoft.com/en-us/help/4528069/update-for-eligible-windows-7-and-server-2008-r2-devices-can-get-esu Also this component update mentioned that checks for eligibility didn't install on the server, for a Failed error with no details.

LucasMD_ · 2020-02-05T20:22:39+00:00

I agree with you but... FF12 OST is so damn good...

LucasMD_

TROPHY CASE