Windows Server 2008 R2 Active Directory Certificate Services Deep Dive

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.

;copy from here

[Version]

Signature=”$Windows NT$

[NewRequest]
Subject = “CN=myserver.microsoftguru.com.au” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 2048    ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

; If your client operating system is Win2k8,Win Vista, Win7

; SANs can be included in the Extensions section by using the following text format.

;Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = “{text}”

_continue_ = “dns=Exchange1.microsoftguru.com.au&”

_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”

_continue_ = “url=http://myserver.microsoftguru.com.au&”

_continue_ = “ipaddress=172.31.10.134&”

_continue_ = email=test@microsoftguru.com.au&

_continue_ = upn=test@microsoftguru.com.au&

_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”    

;Alternatively you create a SAN attribute using a script provided in KB

; use text format or encrypted format of SAN. 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==

[RequestAttributes]

; Multiple alternative names must be separated by an ampersand (&).

;In the example I have shown two different types of SAN. Use only one type of SAN.

;Asterisk *.yourdomainname.com.au is used for Wildcard certificates.

SAN=”dns=exchange1.microsoftguru.com.au&dns=www.microsoftguru.com.au&ipaddress=172.31.10.130″

SAN=”dns=webmail.microsoftguru.com.au&dns=*.microsoftguru.com.au&dns=autodiscover.microsoftguru.com.au”

CertificateTemplate = WebServer

; change template name depending on your environment.

; remove “;” from request.inf file. file ends here.

Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”E=test@microsoftguru.com.au, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.

Open a command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new c:request.inf c:certnew.req

At the command prompt, type the following command, and then press ENTER:

certreq -submit c:certnew.req c:certnew.cer

If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

certreq -submit -config “DC.microsoftguru.com.auMYCA” c:certnew.req c:certnew.cer

Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:

certreq -retrieve RequestID c:certnew.cer

You can also use the -config switch here to retrieve the certificate request from a specific CA.

At the command prompt, type the following command, and then press ENTER:

certreq -accept c:certnew.cer

This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.

How to configure a CA to accept a SAN attribute from a certificate request

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To repair a certificate
  1. If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.

  2. In the console tree, double-click Personal Certificates, and click the imported CA certificate.

  3. On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.

  4. Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.

image

How to enable secure certificate enrolment in certificate authority

Step1: Create request.inf file using WebServer template

Step2: Generate a web server certificate request.req file using certreq.exe tools

certreq -new c:request.inf c:request.req

Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer

Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request

Point the location c:request.req and submit. you will be prompted to save certificate.

image

Step4: Import the certificate into certificate authority

Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.

Step5: Open IIS Management Console>Select Default Web Site>Click Bindings from Action Pan>Click Add>Select HTTPS>Select the certificate you just imported in previous step. Click OK.

image

image

image

Step6: Run iisreset /restart from command prompt

Step7: Test https://MYCA/certsrv

How to use secure Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. Open Internet Explorer. In Internet Explorer, connect to https://MYCA/certsrv.
  2. Click Request a Certificate.>Click Advanced certificate request.

image

  1. Click request a certificate
  2. In the Certificate Template list, click Web Server. Note The CA must be configured to issue Web Server certificates.
  3. Provide identifying information as required.
  4. In the Name box, type the fully qualified domain name FQDN of the server.
  5. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024 – 16384
    • Automatic key container name
    • Store certificate in the local computer certificate store

Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

san:dns=dns.name[&dns=dns.name]

image

Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is myserver.microsoftguru.com.au and the alias are autodiscover.microsoftguru.com.au and webamil.microsoftguru.com.au, these names must be included in the SAN attributes. The resulting attribute string appears as follows:

san:dns=myserver.microsoftguru.com.au&dns=myweb.microsoftguru.com.au&dns=mysite.microsoftguru.com.au

 

image

Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.

My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode

image

Paste the contents into base 64-encode. Select web server template. click submit.

image

Now obtain certificate click yes.

image

to download certificate with root CA CRL  click Download certificate chain in p7b format

to download only certificate click download certificate and save.

image

How to configure Private Key in Certificate Authority and Export Private Key

1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage

image

2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab

3. Click Request Handling Tab>Check Allow private key to be exported

 image

4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates

image

5. Click Ok. Close CA MMC.

6. Create a WebServer Request.inf. Create Request.req file

7. Submit WebServer request to https://myca/certsrv . Download and install certificate.

To export a certificate with the private key

1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.‌

2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.

3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.

Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.

4. Under Export File Format, do one or all of the following, and then click Next.

  • To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.
  • To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

How to import Private Key

  1. Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.

  2. Click a folder, click the Action menu, point to All Tasks, and then click Import.

image

3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.

4. Click Next, and then follow the instructions.

Playing with AD CS Administration Cmdlets in Windows PowerShell

The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.

  • Import-Module ServerManager – Imports the Server Manager module that provides the Add-WindowsFeature cmdlet.
  • Add-WindowsFeature Adcs-Cert-Authority – Adds the Certification Authority role service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Pol – Adds the Certificate Enrllment Policy Web Service binaries.
  • Add-WindowsFeature Adcs-Enroll-Web-Svc – Adds the Certificate Enrollment Web Service binaries.
  • Add-WindowsFeature Adcs-Web-Enrollment – Adds the Certification Authority Web Enrollment role service binaries.
  • Add-WindowsFeature Adcs-Device-Enrollment – Adds the Network Device Enrollment Service binaries.
  • Add-WindowsFeature Adcs-Online-Cert – Adds the Online Responder role service binaries.
  • Get-Command -Module AdcsDeployment – Displays all the cmdlets that are associated with AD CS Deployment.

Disaster recovery or Migrate procedure of Active Directory Certificate Authority:

Moving a CA from one computer to a second computer involves the following procedures:

  • Backing up the CA on the first computer
  • Restoring the CA on the second computer

You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

  • To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.
  • To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

To back up a CA

  1. Open the Certification Authority snap-in.

  2. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

image

3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.

image

4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish

image

5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration

 

image

6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.

image

8. In addition of above steps back up CAPolicy.inf . If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:Windows.

To back up a CA database and private key by using Certutil.exe
  1. Log on with local administrative credentials to the CA computer.

  2. Open a Command Prompt window.

  3. Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.

  4. Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.

  5. Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.

  6. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.

  7. After the backup completes, verify the following files in the location you specified:

    • CAName.p12 containing the CA certificate and private key
    • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb
  8. Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.

How to remove the CA role service from the source server

It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.

  • To remove the CA on a computer running Windows Server 2003, use the Add/Remove Windows Components wizard.
  • To remove the CA on a computer running Windows Server 2008, use the Remove Roles Wizard in Server Manager.

To restore a CA on a new server from a backup copy

  1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

  2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

  3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

    noteNote You must have a network connection to a domain controller in order to install an enterprise CA.

  4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

  5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

  6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

  7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

  8. Click Next two times.

  9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.  On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.

  10. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.

image

13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

To restore the CA database by using Certutil.exe
  1. Log on to the destination server by using an account that is a CA administrator.

  2. Open a Command Prompt window.

  3. Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.

To Restoring the certificate templates list

Log on with administrative credentials to the destination CA.

  1. Open a command prompt window.

  2. Type certutil -setcatemplates +<templatelist> and press ENTER.

ImportantImportant ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

Verify registry location and Configuration parameters are: 

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfiguration

  • DBDirectory
  • DBLogDirectory
  • DBSystemDirectory
  • DBTempDirectory
  • DBSessionCount

image

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfigurationCAname

  • CACertPublicationURLs
  • CRLPublicationURLs

image

 

Granting permissions on AIA and CDP containers

If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.

To grant permissions on the AIA and CDP containers
  1. Open Active Directory Sites and Services> In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.

  6. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

  7. In the console tree, expand CDP, and then click the name of the source server.

  8. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

image

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

6. Repeat steps 13 through 18 for each cRLDistributionPoint item.

Additional procedures for failover clustering

  • CA Role must be installed on both nodes

  • Stop Active Directory Certificate Services from Services.msc

  • Ensure shared storage is online.

  • certificate store and logs must be placed in shared storage.

To verify shared storage is online

  1. Log on to the destination server. Start Server Manager.

  2. In the console tree, double-click Storage, and click Disk Management.

  3. Ensure that the shared storage is online and assigned to the node you are logged on to.

To configure AD CS as a cluster resource

Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.

  1. Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.

  2. In the list of services and applications, select Generic Service, and click Next.

  3. In the list of services, select Active Directory Certificate Services, and click Next.

  4. Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.

  5. To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.

  6. Click Finish to complete the failover configuration for AD CS.

  7. In the console tree, double-click Services and Applications, and select the newly created clustered service.

  8. In the details pane, click Generic Service. On the Action menu, click Properties.

  9. Change Resource Name to Certification Authority, and click OK.

If you use a hardware security module (HSM) for your CA, complete the following procedure.

To create a dependency between a CA and the network HSM service
  1. Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.

  2. In the details pane, select the previously created name of the clustered service.

  3. On the Action menu, click Add a resource, and then click Generic Service.

  4. In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.

  5. Under Services and Applications in the console tree, click the name of the clustered services.

  6. In the details pane, select the newly created Generic Service. On the Action menu, click Properties.

  7. On the General tab, change the service name if desired, and click OK. Verify that the service is online.

  8. In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.

  9. On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.

To grant permissions on public key containers: If you are migrating to a failover cluster, complete the following procedures to grant all cluster nodes permissions to on the following AD DS containers:
  • The AIA container
  • The Enrollment container
  • The KRA container
To grant permissions on public key containers in AD DS
  1. Open Active Directory Sites and Services. In the console tree, click the top node.

  2. On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.

  3. In the details pane, right-click the name of the source CA, and then click Properties.

  4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

  5. Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  6. In the console tree, click Enrollment Services.  In the details pane, right-click the name of the source CA, and then click Properties.

  7. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.

  8. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

  9. In the console tree, click KRA.

image

10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

To check the DNS name for a clustered CA in AD DS
  1. Log on to the active cluster node as a member of the Enterprise Admins group.

  2. Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.

  3. In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.

  4. Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.

image

5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster. 

Configuring CRL distribution points for failover clusters

When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.

The following procedures must be performed on the active cluster node.

To change the configured CRL distribution points
  1. Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

  2. Click the name of the CA. In the right pane, double-click CRLPublicationURLs.

image

3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.”  The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.

4. Open a command prompt, type certutil -CRL, and press ENTER.

5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.

6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.

To setup Audit on CA. Open CA MMC>Select the Certificate Server>Right Click>Click Property

image

Check desired Events to audit>Click Ok. restart CA Services.

To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.

image

To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.

image

Additional references

How to extend root certificate authority and subordinate CA

Configure Microsoft Fail over Cluster

Active Directory Certificate Services Overview

FF TMG 2010: Configure Network Load Balancing Across Enterprise Array Members

NLB is an wonderful in built TMG feature you can utilize to balance high network traffic. you can configure network load balancing across up to eight FF TMG array members.
Windows Server 2012 Step by Step

The following is an example of FF TMG 2010 NLB Configuration.  

image

To configure network load balancing among FF TMG 2010 enterprise array members, Open FF TMG enterprise Management server console, Click on the Networking Node>Select preferred networks. For this article, I have chosen internal networks for load balancing.

 1

Click on Enable Network Load Balancing Integration, you will be presented with NLB Integration Wizard, Click Next.

2

Select Internal>Click Configure NLB Settings

3

Type Primary virtual IP (VIP), Select Unicast, Click OK. note that VIP will be similar IP range of internal networks of both TMG servers. VIP will be registered as a DNS record in DNS server once you click finish.

4

5

click Finish. Click OK.

6

Apply Changes. Click Ok.

7

To Change or add additional VIP, Click on Networking node>Right Click on Internal Network>Click Property>Click NLB Tab

8

Change FF TMG Client configuration to new VIP. Client proxy address will be new VIP.

11

Now you have finished configuring NLB. To test NLB, open internet explorer, add VIP as new proxy address and browse bing.com.

13

14

To test that you are able to browse internet using VIP proxy address if one NLB node fails, reboot one TMG server while you keep surfing internet on a client. you will experience slow browsing though depending on your load. you will see following error in TMG EMS but once all array members are up and running it will sync itself.

9

10

Important!    you can centrally manage up to 15 EMS x 200 arrays per EMS x 50 TMG servers per array that is in total 150,000 TMG servers. 

Relevant Articles:

FF TMG 2010: Configure ISP Redundancy— Step by Step

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

FF TMG 2010: Configure ISP Redundancy— Step by Step

ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are:

  • Designate primary and secondary link for internet connections
  • Balance traffic load based on percentage of total traffic per link
  • Automatic fail over to secondary link if primary link fails

image

Picture: ISP redundancy using FF TMG 2010

You must fulfill following requirements before you configure ISP redundancy.

  • Two separate ISP links
  • ISP provided Static IP must be obtain from separate subnet.
  • Each network must have a Network Address Translation (NAT) relationship with the External network.
  • To ensure that DNS requests are routed to the correct ISP, you must add a persistent static route for each DNS IP address(s) configured on the external network adapters

Important!

  • Static NAT rules take precedence over ISP redundancy configuration settings. This means that a static NAT traffic directed to a primary ISP link is not rerouted to secondary ISP link if primary ISP link is down.
  • you can designate traffic sent to a range of IP addresses is routed to a specific ISP link while configuring ISP redundancy. To do so, click Explicit Route Destinations>click Add Range. You can add multiple ranges.

To configure NICs which is connected to ISP Links

16

Right click on the external NIC connected to primary ISP>Click on Property>Select TCP/IP4>Click Property>Type the Static IP, Subnet Mask, Gateway and DNS provided by ISP

Repeat above steps for external NIC connected to secondary ISP Link. you will be prompted with the following warning. Don’t worry this is common phenomenon for windows operating systems when you add two gateway. Click Yes to save the configuration.  

17

To add a persistent static route

Open command prompt as an administrator and add persistent route for both external NIC.

route -p ADD 192.168.1.254 MASK 255.255.255.0 192.168.1.254 METRIC 1 IF 3 

route -p ADD 192.168.100.254 MASK 255.255.248.0 192.168.100.254 METRIC 2 IF 4 

Command Syntax

route [-p] ADD [destination] MASK [netmask] [gateway] METRIC [metric] IF [interface]

  • P—-Makes the route persistent
  • METRIC---specifies the priority for this route. the route with the lowest metric has the highest priority.
  • IF---Specifies the interface number

To Verify NAT rule

Open Forefront TMG Management console, click the Networking node.

Click on Network Rules Tab>Check Network Rules

18

To Configure ISP Redundancy

Open Forefront TMG Management console, click the Networking node. In the details pane, click the ISP Redundancy tab> click Configure ISP Redundancy, follow the instructions in the wizard as shown on screen shots.

1

2

3

In this window, you can select preferred redundancy mode.

4

5

6

7

8

9

10

11

12

Apply Changes. Click Ok.

To modify each link. Select the link, Click on edit Selected ISP Connection. To monitor ISP redundancy, Click on Monitor ISP redundancy.

15

13

14

Relevant Articles:

Install and configure Forefront TMG step by step

Forefront Threat Management Gateway (TMG) 2010

Configure back to back perimeter step by step

Configure reverse proxy step by step

 

 

 

 

Configure Microsoft Fail over Cluster for DHCP services—step by step

Microsoft Cluster Requirements:  Servers, NIC and Storage must validate Microsoft cluster requirements to configure MSCS using two or more independent computers . The objectives to create a cluster is to avoid a single point of failure that is to create a high availability for services or application. Before you configure a cluster you must keep in mind that your design must meet this primary conditions.

To achieve redundancy, you can connect your cluster nodes with networks that is constructed with teamed network adapters, redundant switches, redundant routers that removes single points of failure.

Serial Attached SCSI or Fibre Channel must be identical and use same firmware version. For iSCSI storage, you must use dedicated HBA or gigabit network adapters for storage purpose. This adapter can not be used for network communication. To use the native disk support included in failover clustering, use basic disks, not dynamic disks. Microsoft recommend that you use NTFS for quorum disk and shared storage. you can use either master boot record (MBR) or GUID partition table (GPT). A LUN used for one set of cluster servers should be isolated from all other servers through LUN masking or zoning. In a highly available storage fabric, you can deploy failover clusters with multiple host bus adapters by using multipath I/O software or Microsoft Multipath I/O (MPIO). At least two HBA of server connecting two different fabric switches.
Windows Server 2012 Step by Step

You can configure Microsoft Cluster using all version of Windows Server 2008 Enterprise and data center. You must configure both node using same architecture, OS, patches and hotfixes. For example, if one node is x64 than all other node must be x64 in a single cluster. To achieve MSCS, you must have functional AD DS, Active Directory Domain Controller, Administrative roles to manage MSCS.

Unsupported configuration:

  • NIC Teaming other than use of manufacturer teaming software
  • IP addresses assigned from a Dynamic Host Configuration Protocol (DHCP) server for the cluster administration address (which is associated with the cluster name) or any IP address resources.
  • NIC non-multiported
  • For iSCSI, you cannot use teamed network adapters, because they are not supported with iSCSI
  • Windows Server 2008 standard
  • MSCS can not be formed in between two nodes that are members of two different Active Directory forest.

Configure Network: MSCS requires minimum two network adapters in each node of the cluster to be certified for the HCL. One for heartbeat network and another for public network or simply data transmission for internal network. All network cards on the public network need to be on the same logical network (same subnet) regardless of their physical location. It is recommended that you put the private network adapter from Class A, Class B or Class C IP rages.

39

Microsoft does not recommend that you use network teaming on a cluster. However, if you do use manufacturer-specific network adapter teaming software (dell advanced network management suite) it must be seamless to the cluster and must reside only on the public network. NIC is connected with a separate crossover cable (or to a switch in same vlan).

Sample IP configuration of Internal NIC:

IP Address 10.10.10.20/24  DG: 10.10.10.1  DNS: 10.10.10.5

Sample IP configuration of Heartbeat:

IP Address 192.168.100.0/24 DG: Null DNS: Null

Open Failover Cluster Management Console>Click on Networks>Right Click on Heartbeat Network>Click Property>Click on “Do not allow the cluster to use this network”>Click on Apply and OK. Note that this NIC is dedicated for heartbeat network. Client should be using another network.

42

Configure Shared Storage:  I used freenas as iSCSI target. To use Freenas as iSCSI target, download Freenas iSCSI target VMware vmdk file from sourceforge or freenas.org

Add target disks for quorum and shared storage.

43

Start Freenas VM. From Console setup, setup LAN IP and WebGui Password. Open IE in Windows 7 and browse freenas ip. Make sure script and active x allowed in IE. Click Services>iSCSI target>Click on portal>Add IP address as your LAN IP address you setup in LAN IP.

44

Click Settings>Enable iSCSI target. Do not change default settings. Click Target>Click Add Extend to mount disk. Once finish, add target and assign to this disk you added in previous steps. add many disk and target you want from this window. Apply changes.

 15

16

Log on to Cluster server, Administrative Tools>Click iSCSI initiator>Click on Discovery Tab>Click on Add portal. Type the ip address of the iSCSI target, leave rest of settings default and add target portal.

11

Click Targets tab>Click on refresh. you will be presented with target disk. Select target disk, click log on. Check Automatically restore this connection when computer start, click ok.

12

37

13

36

38

Start Menu>run>type diskmgmt.msc and click ok>See the disk visible to Cluster server. Configure the disk as basic and NTFS file systems.

40

Note that for this article, I am using software initiator as I don’t have a HBA in my test infrastructure. So don’t ask why use MS iSCSI initiators. you can use other means of connecting storage with your server. you are free to do so as long as it support Microsoft HAL.

Install Fail Over Cluster Feature: In the Server Manager, Click Add Features Wizard, click Failover Clustering, and then click Install. Follow Installation Wizard.

41

Configure Cluster: To open the failover cluster snap-in, click Start, click Administrative Tools, and then click Failover Cluster Management. Right Click Failover Cluster Management> click Create a cluster. Add servers that involve in this Cluster, Type IP address, Type name of the cluster, Add shared storage. Follow wizard and finish creation of cluster.

1

2

3

4

5

6

7

8

9

20

19

Check Clustered Disk:

Open fail over Cluster management, Click Storage and view available storage. You may level your quorum disk as “quorum” and “Q” as drive letter to quickly identify quorum disk.

33

Configure Quorum Disk:

The quorum algorithm is a mathematical method for determining if a majority of Cluster members exist so resources can be shared across an Cluster system. Quorum is the number of votes that must be present for the cluster to function. A cluster system can designate a disk as quorum disk. The quorum disk acts as a virtual cluster member whose purpose is to add one vote to the total cluster votes. For example, if you have a thirteen nodes cluster and your seventh node fails then cluster will be inoperative. By establishing a quorum disk, you can increase the availability of a two-node cluster; such configurations can maintain quorum in the event of failure of either the quorum disk or one node, and continue operating. There are four quorum modes, they are Node Majority, Node and Disk Majority, Node and File Share Majority, No Majority: Disk Only.

Right click on Storage>Click add disk>Select Cluster disk>Click ok. You can create 2GB quorum disk for your cluster. Don’t worry about this screen shot. This is just for this article.

21

17

Right click on Fail over cluster management>Click on validate cluster>Select on disk validation and perform validation. You will see you passed validation.

18

Right-click on FQDN of Failover Cluster, click More Actions, and then click Configure Cluster Quorum Settings. MSCS will recommend cluster mode for your settings, select recommended. Click Next.

22

23

Select Witness storage disk and click next. Click finish and see the report.

24

25

26

Configure Services or Application: Once you finish, configuring MSCS, now you are ready to create service or application in this cluster. For this article, I am going to create DHCP Cluster. Please note that, to create a clustered services or server role you must have specific server role installed in both node of cluster.

Right click on services and application>Click Configure a service or application> Select DHCP Server>Click Next>Type Clustered DHCP IP address>Select Shared Storage, Follow wizard and Finish.

10

27

28

29

30

31

32

Now right on testDHCP>Click Manage.

34

Now you add DHCP scope, superscope. Note that your ip helper address in Cisco L3 switch or core switch will be the virtual cluster IP of DHCP cluster.

35

Command Line: Open Elevated Command prompt. Type Cluster /help to see all cluster commands. Type Net Start CLUSSVC /FQ  and press enter to start cluster quorum. Type CLUSTER [cluster-name] NODE node-name /STATUS and press enter to see the status of cluster node. To seek more help about cluster node type following and press enter CLUSTER GROUP /? and CLUSTER NODE /?

Relevant Study:

Download TechNet Resources

HAL Requirements

Microsoft Cluster on VMware vSphere

FreeNas