Windows Tips & Tricks UPDATE, December 5, 2006

Windows Tips & Tricks UPDATE, December 5, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

NETWORK TESTING LABS COMPARES ARGENT TO MOM 2005
http://list.windowsitpro.com/t?ctl=CEED:380033

New On Demand Remote Access & Control
http://crossteccorp.com/ondemand/wp.html?utm_source=TandT1205&utm_medium=newsletter&utm_campaign=nod05

Sponsor: Argent

NETWORK TESTING LABS COMPARES ARGENT TO MOM 2005 Network Testing Labs, one of the world's leading independent research companies, concluded that "Argent's suite had a smaller footprint, was more scalable, supported more platforms, had a more responsive and intuitive user interface and gave us more useful reports," the report says. "Argent's suite of monitoring products emerged from our testing with flying colors." Download this FREE Comparison Paper now:
http://list.windowsitpro.com/t?ctl=CEED:380033

FAQs

Sponsor: CrossTec

New On Demand Remote Access & Control New NetOp On Demand Remote Control is the Internet-based solution that lets Help Desk reps connect to end users’ machines in seconds. No pre-installing software. No configuring firewalls. No monthly charges. Offers stringent security: 256-bit AES encryption, authentication, and more. End user downloads 650K file, gets remote help, then upon exiting, the file removes itself from the user’s computer. For cost-effectiveness, it is licensed per Help Desk rep, not per end user or session. Robust feature set results in quicker problem resolution and increased customer satisfaction. Read the whitepaper today!
http://crossteccorp.com/ondemand/wp.html?utm_source=TandT1205&utm_medium=newsletter&utm_campaign=nod05

FAQs

Q. How can I verify that my Windows Server 2003 Certificate Authority (CA) deployment is correctly configured?

A. Microsoft provides the PKI Health Tool (PKView.exe) as part of the Windows 2003 Resource Kit Tools (http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en). PKView determines whether the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution point URLs are valid and reachable. The tool also determines whether the associated certificates are nearing expiration. To run PKIView, select Start, Run, and type pkiview.mscA Microsoft Management Console (MMC) instance will initiate. Select a CA to display the status of each CRL and AIA location, as Figure 1 shows. If you have more than one CA in your hierarchy, select each CA in turn to check the status of the whole hierarchy. The status field should display OK for all entries. If the publication point isn't correctly configured or the CA certificate or CRL isn't copied correctly to the publication point (i.e., missing), the status will show "Unable to Download." If the CA certificate or CRL is nearing expiration, the status column will display "Expiring."

Q. How do I enable HTTP Secure (HTTPS) traffic on my Microsoft Internet Information Systems (IIS) 6.0 Web server site by using my local forest Certificate Authority (CA)?

A. If you have Certificate Services installed in your Active Directory (AD) forest, enabling HTTPS traffic on a Web server is a simple exercise. To do so, perform these steps:

If you have concerns with this approach, you can use the Web-based enrollment method. (I know of people who were unable to get this auto enrollment process to work. Usually this occurs because firewall or server-side configuration issues on the certificate server prevent remote procedure call (RPC) from being available):

You can now click the Server Certificate button under the Directory Security of the Web site, then select "Assign an existing certificate" and select the installed certificate.

Q. How can I enable digital certificate autoenrollment in Windows Server 2003?

A. Autoenrollment is available to Windows 2003 and Windows XP domain members for version 2 certificate templates (which can be issued only by enterprise certificate authorities--CAs--running Windows 2003 Enterprise or Datacenter Edition). The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. A modification is made to Group Policy to initiate the process during a Group Policy refresh or interactive logon event. Make sure that the certificate templates to be configured for autoenrollment don't require user input because if they do, the autoenroll process will fail. In this example, we'll enable autoenrollment for certificates to be used for digital signatures and message encryption via Microsoft Office Outlook 2003:

Make sure you choose the copied template that you created and not the original (i.e., select Exchange User Custom, not Exchange User). The original template doesn't permit autoenroll. Next you need to enable the Group Policy for the autoenrollment. To do so, perform these steps:

When users next logon or have Group Policy applied, they should receive the certificates within 90 seconds. You can verify that users received the certificates by performing these steps:

You can check the Application event log for information related to autoenrollment on the client. (You can also view Failed Requests in the Certificate Authority MMC snap-in.) Figure 12 shows a failed autoenrollment from the client Application event log.

The failed autoenrollment occurred because the remote procedure call (RPC) server wasn't available on the CA that was running on Windows Server 2003 Enterprise Edition with Service Pack 1 (SP1) installed. Because the CA was enabled on the server after the Security Configuration Wizard (SCW) had been run, the services and ports needed by certificate servers weren't enabled. To resolve the problem, run the SCW (Start, Programs, Administrative Tools, Security Configuration Wizard) and enable the Certificate Server in the Select Server Roles section and the "Ports used by System RPC applications" option in the "Open Ports and Approve Applications" section.

To view the certificates that have been issued from a certificate server, expand the Issued Certificates branch of the Certification Authority MMC snap-in, as Figure 13 shows.

Be careful when using autoenrollment for the Exchange User certificate, which is used to encrypt messages when users log on to more than one machine and access mail. Messages are encrypted with a generated symmetric key (i.e., the key is used to both encrypt and decrypt the message) and the symmetric key is transmitted with the message encrypted with the recipient's public key. This means that only the recipient's private key can decrypt the symmetric key and thus decrypt the message.

The problem is that if you use autoenrollment and a user logs on to multiple machines, each machine will generate a new set of private and public keys for that user (because a separate profile is used on each machine). Thus, depending on which public key is used to encrypt a message, the recipient will be able to open the message only on the computer with the paired private key. On all other machines the corresponding private key is missing and the message is unreadable.

The solution is to store these certificates (private keys) on smart cards that travel with the user instead of on the machines or use roaming profiles so that the user always has the same profile and thus no additional certificate enrollments will take place.

With Windows 2003 and Windows Vista, Digital Identity Management Service (DIMS) enables credential roaming, in which the certificates and private keys are stored in AD, avoiding the problem. You can find more information about this problem at http://technet2.microsoft.com/WindowsServer/en/Library/d052e2b5-fd73-4bd0-8018-7713049463ee1033.mspx.

Q. How can I configure Microsoft Office Outlook 2003 for digital signatures and encryption?

A After a user has the certificates required for digital signatures and encryption installed, enabling them in Outlook is relatively simple. To do so, perform these steps:

When an Outlook user sends email, the client displays two buttons that enable digital signing and encryption of messages, as Figure 15 shows.

When a user receives a digitally signed message, the user will see a padlock and ribbon icon above the message body. You can view the signature validation by clicking the ribbon icon, as Figure 16 shows.

To enable encrypted messages to be sent, both sender and recipients need each others' public keys, so a digitally signed message must have been sent in advance and a reply sent from the recipient (which shares the public keys). If keys are published in Active Directory (AD), you can send encrypted messages to a recipient with no prior communication. If you don't have access to the recipient's public key, you'll receive an error message stating which recipients had missing or invalid certificates.

You might also see the error message if you're using Outlook 2003 in cached mode and you're trying to mail someone who only recently acquired public key infrastructure (PKI) services (within the past 24 hours). Outlook 2003 cached mode queries the Offline Address Book (OAB), which it only downloads every 24 hours. If you know the recipient does have a certificate, force a download of the latest copy of the OAB (Tools, Send/Receive, Download Address Book). You might also need to force a rebuild of the OAB on the Exchange server (which by default is updated each day at 4 A.M.) To force a rebuild, open Exchange System Manager (ESM), select Recipients, Offline Address Lists. Right-click Default Offline Address List and select Rebuild. You should perform this rebuild before downloading the OAB from the Outlook client.

As with digital signatures, if a message is encrypted, a padlock icon appears on the message header. Click the icon to display more information, as Figure 17 shows.

Q. How can I export and import my private keys from one machine to another?

A. By default, private keys are stored in the requesting user's or computer's certificate store. If you use multiple machines, you might want your private key on multiple machines. To do so, perform these steps:

Copy the export key file to another machine and perform the following steps to import the key:

By default, private keys are stored in the requesting user's or computer's certificate store. If you use multiple machines, you might want your private key on multiple machines. To do so, perform these steps:

Copy the export key file to another machine and perform the following steps to import the key:

Hot Release (advertisement)

Build a Superior Windows File Serving EnvironmentAs the number of file servers and associated storage has grown rapidly, IT organizations have faced multiple challenges related to manageability, scalability, fit within existing infrastructure, availability, utilization and cost. In this free white paper get the tools you need to provide a scalable, highly available CIFS file service using inexpensive, industry-standard servers that can be added to incrementally as demands require - while retaining the management simplicity of a single server and a single pool of exported file systems.
http://www.windowsitpro.com/whitepapers/polyserve/fileserving/index.cfm?code=TThot1205

Events and Resources
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn how to use its new capabilities. Includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London, UK and Stockholm, Sweden at
http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=1214emailannc

Get the tips and tricks you'll need to upgrade to Analysis Services 2005, including possible upgrade and migration scenarios, pre-planning steps, running the new Analysis Services migration wizard, and more. Plus discover what steps need to be completed after the migration process is complete and explore some of the new features of Analysis Services 2005.
http://www.windowsitpro.com/go/seminars/analysisservices/?partnerref=1214emailannc

tips you need to validate your disaster recovery data. You'll learn if your backup and restore data is worth staking your career on, what type of geo-clustering is right for you, which response to use in crisis situations, and more!
http://www.windowsitpro.com/go/seminars/disasterrecovery/?partnerref=1214emailannc

Subscribe today to Scripting Central and get a down-and-dirty technical, yet lighthearted look at scripts. You'll also get tools for and tips on how to write scripts for a variety of Windows applications, like Exchange and SQL Server. Sign up today!
http://www.windowsitpro.com/email

In this free guide learn what high availability really means and the different strategies that you can use to improve your email systems' availability and resiliency. Download this FREE guide now and get prepared to choose the appropriate solutions to protect your messaging data at the lowest cost; with the highest reliability.
http://www.windowsitpro.com/essential/index.cfm?code=1214emailannc

Featured White Paper
(from Windows IT Pro and its partners)

Having a mission-critical, data protection solution that is cost-effective, hardware independent and scalable is something every IT manager should consider. In this free white paper get all you need to know about ensuring data protection and high availability for Exchange. This is one paper you can't afford to miss! Get your copy today at:
http://www.windowsitpro.com/go/whitepapers/NSI/exchange?code=1214emailannc

Announcements
(from Windows IT Pro and its partners)

Get the Windows IT Pro Master CD and get portable, high-speed access to the entire Windows IT Pro article database on CD--that's a library of more than 9000 articles! The newest issue includes BONUS Windows IT Tips; sign up now, and you'll SAVE 25%. Offer ends 12/31/05, so take advantage of this holiday offer now.
https://store.pentontech.com/index.cfm?s=1&promocode=eu225cuc

Need answers to your tough Exchange questions? Subscribe to the Exchange & Outlook Administrator newsletter and SAVE up to $30 off the regular price. Each issue features tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Paid subscribers also get searchable access to the full online exchange article database (over 1000 articles). Order now:
https://store.pentontech.com/index.cfm?s=1&promocode=eu235cue

Contact Us
Here's how to reach us with your comments and questions:

This email newsletter is brought to you by Windows IT Pro,the leading publication for IT professionals deploying Windows andrelated technologies. Subscribe today.
https://store.pentontech.com/index.cfm?s=1&promocode=eu205xxb