CAWeb Enrollment error 403.14

A short blogpost about my PKI/IIS challenge today


The Certification Authority Web Enrollment is the webpage where you can logon to request certificated or download crls from your CA. One of my challenges today was that a newly installed issuing CA was unable to configure the Web enrollment webpage correctly. No matter what I did I always got the “403.14 – Forbidden” error.

After quite a bit of troubleshooting, including removing and re-adding roles using both Server Manager and powershell and reboots between the steps I was no closer to a solution. One of my Google-searches lead me to where he suggests to check that default.asp is located in the path C:WindowsSystem32CertSrven-US.

I had the file and everything there was correct, but that lead the to check the path of the website itself. For some reason IIS kept linking the /certsrv site to C:WindowsSystem32CertSrv which is the parent folder, so as soon as I changed the path from C:WindowsSystem32CertSrv to C:WindowsSystem32CertSrven-US in IIS…

View original post 3 more words

Active Directory disaster recovery with Windows Server Backup


Earlier I wrote a post on how to backup and restore objects in Active Directory with Windows Server Backup here:

Here I used the command wbadmin start systemstatebackup -backuptarget:(path) to perform a system state backup on a domain controller and use Directory Service Restore Mode (DSRM) to recover deleted items, as was explained on Microsoft Technet. However there is one drawback to this method, and it’s that you can’t perform a disaster recovery of your AD using this backup, and by disaster recovery I mean that all of your servers are completely gone and you have nothing left except your backups. If you try to use a complete server restore with this backup, this is as far as you will get.

Disaster Recovery error

So in order to do a disaster recovery you need a backup that support this. With wbadmin you can run

wbadmin start backup -allcritical -systemstate -vssfull -backuptarget:(path):

With this backup you can boot a blank server form the 2012 R2 install media and select Repair your computer. Choose image restore and it should detect your backup if it’s available.


After the restore you have a complete server restored form the point in time of which the backup was taken. From here you can seize any FSMO roles if you need, then and start promoting more domain controllers. In a disaster recovery scenario I would rather promote new domain controllers instead of running restore on every single Domain Controller. Note that your NIC will most likely be set to default on the restored server so you may need to set the correct IP address again.

So the big question now is: Can you use this backup procedure to do a restore of a deleted object in AD, instead of a complete Disaster recovery? The answer is yes. You don’t need to have 2 backups (one of AD and one for disaster recovery). All you need is the backup from this post and follow the procedure form the post I linked at the top to restore deleted object in AD.

Import missing VM into Hyper-V

I want to share a little story which once again proved to me how easier IT is when you learn a little Powershell.

I recently had an outage on my Hyper-V server (Windows 10 server build 9841 btw) which hold my lab environment at home. The server lost connection with an SSD drive (E:\) containing almost 15 VMs, but this was luckily fixed my reattaching the SATA-cable to the drive.

However, when the server booted and my E:\ drive had returned, all the VMs on the drive was missing. Both in the Hyper-V management console and in powershell when I ran “Get-VM”. The files and VHDs was intact so it was only a matter of importing them to Hyper-V.

So here I had two choices:

  1. Import the VMs one by one in a 5-click wizard
  2. Import the VMs with Powershell

After fiddling around with sending the configuration files for each VM into a foreach loop, and still not making it work I tried something simpler. All I needed was a 1-liner which listed the config files and piped them into the import-vm cmdlet and the following line imported all the VMs on my E: drive into Hyper-V and I could start the VMs with no need to change any kind of configuration.

Get-ChildItem E:\Hyper-V -Recurse *.vmcx | Import-VM

Once again Powershell proves to be an amazing tool.

Preparing for Windows 9 with dualboot

As most of you know, Microsoft will announce Windows 9 om September 30th 2014 which is in 2 weeks as I write this. Now I am very excited about this product and considering there hasn’t been any information about the new features yet I predict a lot of testing when the technical preview (really Microsoft, just call it a beta) is released to the public.

So how do we test this new operating system?

The initial thought is to use a hypervisor, like Hyper-V, and create VM’s with Win9 on, but imo that really isn’t a very good way to try the client OS. Therefore I wanted to share my approach which is to initially install Windows 9 on a VHDX file and set it in a dualboot configuration with my Windows 8.1 system which I’m currently using. Unless I find something that tells me otherwise, Windows 9 will shortly be my main OS. There are 2 big advantages to running this in a VHDX with dualboot instead of a vm:

  1. You get a much more true test how the OS will run on your hardware since it actually reaches your physical hardware with the exception of hard drive which is virtual. I find this particularly important when testing a client OS.
  2. You can by all means and purposes replace you current installation but it is still very easy to fall back to should something occur, or if you just have to get some files that you haven’t backed up or put into the cloud

So now that I have convinced you all on why this is a good idea I will show you how to easily do it. In the procedure below I’m using Windows 8.1 to mimic the Windows 9 iso since it’s not available until 2 weeks from now.

There are 3 stages for getting a VHDX file in dualboot with your existing 8.1 installation:

  1. Create a vhdx file
  2. Apply the new Windows image to the vhdx file
  3. Set up the boot configuration


Create the vhdx file.

Here I create a dynamically expanding 40GB vhdx file on the folder c:\boot on my C:\ drive.

Create the folder to store the vhdx file, C:\boot in this example

open an elevated commandprompt and type the following

create vdisk file=c:\boot\win9.vhdx type=expandable maximum=40960
attach vdisk
list disk

Verify that the VHD is selected by the star on the left

create partition primary
format fs=ntfs quick

Now the vhdx fine has a formatted and active partition, in this case it was mounted as E:


Apply the new Windows image to the vhdx file

Now that the vhdx file is ready, you mount up your newly downloaded Windows 9 iso, in this case it’s mounted as D:

First you have to pick the SKU you want from the iso. Note the name and Index#  from this command (Again Windows 8.1 is used in this example)

dism /get-imageinfo /imagefile=d:\sources\install.wim


Now I see I can either install Windows 8.1 or 8.1 Pro. Since I want 8.1 Pro so I must apply Index 1 to my vhdx

dism /apply-image /imagefile=d:\sources\install.wim /index:1 /applydir:e:\

Wait for the operation to complete


Set up the boot configuration

The vhdx file is ready but not set up as a boot option on your computer so we still work in the elevated commandprompt.
Add the vhdx to the boot menu

bcdboot e:\windows

To check you boot configuration

bcdedit /enum

The boot configuration

Notice that the description is the same which makes it confusing but the device tells us which is the vhdx-file. Also the vhdx file is the default boot option.

If you want your current installation as default boot then simply run

bcdedit /default {current}

And last I want to change the desciption to tell them apart, which hopefully won’t be necessary with the genuine Windows 9 iso.

bcdedit /set {b42c4225-3dc5-11e4-94b6-c190548f218f} description “Windows 9”

After you run bcdedit /enum again you should see something like this


Finally we are ready to test this, simply reboot your computer and you should see the new and improved boot menu in Windows 8.1

The boot menu

Make sure you check out “Change defaults or choose other options”, lots of neat stuff there.

Final words: Yes, I am perfectly aware of all the tools that can do this for you, but you won’t improve you skills in diskpart, dism og bcdedit by using those tools. The best way to improve in something is to work with it.

Display disabled and inactive users and computers

This little script will query your AD and display disabled computers, inactive computers, disabled users and inactive users. Inactive in this examples is 365 days since last logon.

$LastYear = (Get-Date).AddDays(-365)
$AllDisabledComputers = Get-ADComputer -Filter 'Enabled -eq $False'
$AllDisabledUsers = Get-ADUser -Filter 'Enabled -eq $False'
$AllEnabledUnusedComputers = Get-ADComputer -Filter 'Enabled -eq $True' -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt $LastYear}
$AllEnabledInactiveUsers = Get-ADuser -Filter 'Enabled -eq $True' -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt $LastYear}
Write-Host "Total disabled computers:"$
Write-Host "Total enabled computers, logon more than one year old:"$
Write-Host "Total disabled users:"$
Write-Host "Total enabled inactive users:" $

This script does not require any admin permissions, by default. Honorable mention for this script to Bjørn Wang

Do I need WINS?

WINS is a feature that I’ve debated a little recently. It is a lot of uncertainty connected to the role WINS has (or would have) in a modern Windows infrastructure. Let’s start with the beginning


NETBIOS is strictly speaking an API (and not a network protocol) which allows you to assign a name to a computer which has an IP address. The NETBIOS name has no relation to the hostname (DNS) and nothing prevents a host from having a completely different NETBIOS name and hostname. The NETBIOS name is limited to 15 characters and provides no hiearchy. There are four types of nodes, which tells you how NETBIOS names are resolved to IP.

  • B-node: 0x01 Broadcast
  • P-node: 0x02 Peer (WINS only)
  • M-node: 0x04 Mixed (first broadcast, then WINS)
  • H-node: 0x08 Hybrid (first WINS, then broadcast)

If you run “ipconfig /all” on your computer then “Node type” in the top will tell you which node type your computer has, and as you can see it either looks up in a WINS database or it does a broadcast, or both depending of the node type.


WINS can in many ways be compared to a DNS server as WINS contain a list of all NETBIOS clients and their IP address, he list can be dynamically updated and its content can be replicated to several servers by setting up push and/or pull replication. But unlike DNS, NETBIOS and WINS are not required for internet access.

So do I need WINS?

Short answer: No you don’t need WINS (nothing will break if you don’t implement it), but you may want to consider it.

Longer answer: The importance of WINS has been greatly reduced over the last decade. In the old NT4 days it was absolutely crucial and today it can be implemented to reduce broadcast traffic. Your benefit of WINS depends very heavily on your environment (OS version on your clients, network segmenting, bandwidth etc). A VDI environment with Windows XP (yes, they exist) is a good candidate for where WINS can help. I see however few reasons not to implement WINS as it requires hardly any resources and can reduce your broadcast traffic. The other option is to disable NETBIOS over TCP/IP but you run a risk of breaking quite a few services. File and printer shares needs NETBIOS and a large number of 3rd party application will also stop working. If you want to disable NETBIOS then make sure you do a lot of research first.