Windows Server Product Life Cycle

References

Microsoft Server Life Cycle

 

Migrate WSUS Server from Server 2008/R2 to Server 2012/R2

The following procedure apply if you have an existing WSUS server installed on a Windows 2008 R2 OS with SQL Express and you wish to migrate to Windows Server 2012 R2 WSUS server and a separate backend database server.

Step1: Backup SQL DB of Old WSUS Server

Log on to existing WSUS server. Open SQL Management Studio>Connect to DB>Right Click SUSDB>backup full database.

Step2: Export metadata from old WSUS Server

The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group and WSUS Administrator Group on the WSUS server to export or import metadata. Both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.

Open command prompt as an administrator>go to C:\program Files\Update Services\Tools

Issue wsusutil.exe export c:\export.cab c:\export.log command

Move the export package you just created to the new Microsoft WSUS Server.

 

If you have .netFramework v.2 or v.4 but not configured in IIS Application. Then most likely above command will fail giving you some grief. Here is a solution for this.

Verify that WSUS is configured to use the .NET4 libraries in IIS>Application Pool

Create a file named wsusutil.exe.config in C:\Program Files\Update Services\Tools

Edit the file and add the following:

<configuration><startup><supportedRuntime version=”v4.0.30319″ /></startup></configuration>

If issue persists, please try to unapprove KB3020369 in WSUS Console then try again.

Re-run the wsusutil command but instead of making a CAB file make a .xml.gz file and all should be well.

Further reading 1

Further reading 2

 

Step3: Build New WSUS Server

Virtualize a new Windows Server 2012 R2 Server. Setup static IP, Join the server to domain. Install .NetFramework 4 in new server.Do not Configure WSUS at this stage. Go to Step4.

 

Step4: Restore SQL DB in New SQL Server (Remote and/or Local )

Log on to SQL Server. Open SQL Management Studio>Create a Database named SUSDB

Restore old SUSDB to new SUSDB with override option.

Assign sysadmin, setupadmin role to the person who will install WSUS role in new WSUS server.

Step5: Install WSUS Role & Run Initial Configuration Wizard.

Installation of WSUS

 Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group.

 In Server Manager, click Manage, and then click Add Roles and Features.

 On the Before you begin page, click Next.

 In the Select installation type page, confirm that Role-based or feature-based installation option is selected and click Next.

 On the Select destination server page, choose where the server is located (from a server pool or from a virtual hard disk). After you select the location, choose the server on which you want to install the WSUS server role, and then click Next.

 On the Select server roles page, select Windows Server Update Services. Add features that are required for Windows Server Update Services opens. Click Add Features, and then click Next.

 On the Select features page. Retain the default selections, and then click Next.

 On the Windows Server Update Services page, click Next.

 On the Select Role Services page, Select Windows Server Update Services and Database, and then click Next.

 On the Content location selection page, type a valid location to store the updates. For example, type E:\WSUS as the valid location.

 Click Next. The Web Server Role (IIS) page opens. Review the information, and then click Next. In Select the role services to install for Web Server (IIS), retain the defaults, and then click Next.

 On the Confirm installation selections page, review the selected options, and then click Install. The WSUS installation wizard runs. This might take several minutes to complete.

 Once WSUS installation is complete, in the summary window on the Installation progress page, click Launch Post-Installation tasks. The text changes, requesting: Please wait while your server is configured. When the task has finished, the text changes to: Configuration successfully completed. Click Close.

 In Server Manager, verify if a notification appears to inform you that a restart is required. This can vary according to the installed server role. If it requires a restart make sure to restart the server to complete the installation.

 

Post Configuration

Open Server Manager>Add/Remove program. It will provide you with previous installation Wizard. Launch Post Configuration Wizard.

 On the Welcome page, click Next.

 On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

 Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location (E:\WSUS) in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

Make your selection, and then click Next.

On the Database Options page, you select the software used to manage the WSUS database. Type <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Simply type remote or local SQL Server Name and then click Next.

On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.

 On the Ready to Install Windows Server Update Services page, review your choices, and then click Next.

 The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.

 

Step6: Match the Advanced Options on the old WSUS Server & the new WSUS Server

Ensure that the advanced synchronization options for express installation files and languages on the old server match the settings on the new server by following the steps below:

1. In the WSUS console of the old WSUS server, click the Options tab, and then click Advanced in the Update Files and Languages section.
2. In the Advanced Synchronization Settings dialog box, check the status of the settings for Download express installation files and Languages options.
3. In the WSUS console of the new server, click the Options tab, and then click Advanced in the Update Files and Languages section.
4. In the Advanced Synchronization Settings dialog box, make sure the settings for Download express installation files and Languages options match the selections on the old server.

Step7: Copy Updates from File System of the old WSUS Server to the new WSUS server

To back up updates from file system of old WSUS server to a file, follow these steps:

1. On your old WSUS server, click Start, and then click Run.
2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
3. Click the Backup tab, and then specify the folder where updates are stored on the old WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\.
4. In Backup media or file name, type a path and file name for the backup (.bkf) file.
5. Click Start Backup. The Backup Job Information dialog box appears.
6. Click Advanced. Under Backup Type, click Incremental.
7. From the Backup Job Information dialog box, click Start Backup to start the backup operation.
8. Once completed, move the backup file you just created to the new WSUS server.

To restore updates from a file to the file system of the new server, follow these steps:

1. On your new WSUS server, click Start, and then click Run.
2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
3. Click the Restore and Manage Media tab, and select the backup file you created on the old WSUS server. If the file does not appear, right-click File, and then click Catalog File to add the location of the file.
4. In Restore files to, click Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in the folder you designate. You must maintain the directory structure for all folders under \WSUSContent.
5. Under Alternate location, specify the folder where updates are stored on the new WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on the new WSUS server designated to hold updates; this is typically done during installation.
6. Click Start Restore. When the Confirm Restore dialog box appears, click OK to start the restore operation.

Alternative option would be use FastCopy Software. Copy and paste WSUS content from old server to new server.

Step8: Copy Metadata from the Database on the old WSUS Server to the new WSUS Server

To import metadata into the database of the new Microsoft Windows Server Update Services Server, follow these steps:.

Copy export.xml.gz or export.cab file from old server to new server using copy/Paste or FastCopy software.

Note: It can take from 3 to 4 hours for the database to validate content that has just been imported.

At a command prompt on the new WSUS server, navigate to the directory that contains WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For example: wsusutil.exe import export.cab import.log or wsusutil.exe import export.xml.gz export.log)

Step9: Point your Clients to the new WSUS Server

Next you need to change the Group policy and make it point top the new server.  To redirect Automatic Updates to a WSUS server, follow these steps:

1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
2. In the details pane, click Specify Intranet Microsoft update service location.
3. Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. With the new server details and port For example, type http(s)://newservername :Port in both boxes.

Step10: Invoke GPUpdate

Open PowerShell command prompt as an administrator in any computer. Run Invoke-GPUpdate Servername to synchronise server with new WSUS Server.

Bulk Migration of Printer from Windows Server 2008/R2 to Windows Server 2012/R2

Bulk Migration of Printer from Windows Server 2008/R2 to Windows Server 2012/R2

The following steps are from those who would like to migrate print server from legacy Server 2008/R2 to Windows Server 2012/R2. This steps will bring new drivers and avoid bringing old corrupt drivers and configuration into new systems. If you utilize print migration wizard then you may bring legacy corrupt driver into new systems. This steps also helpful if you are using Citrix Universal Print Driver.

Step1: Download correct and latest Generic/Universal/Global print driver. HP called Universal. Other manufacturer may call global or generic driver. Help yourself from Bing.

Step2: Install Generic Driver.

Open Server manager>Print Management>print Servers>Server name>Drivers.

Right Click and add x64 & x86 drivers.

Step3: Extract Legacy print Configuration.

Open PowerShell as an administrator. Run the following command.

$printserver = “printservername.domain.com”

Get-WMIObject -class Win32_Printer -computer $printserver | Select Name,DriverName,PortName,sharename,location,comment | Export-CSV -path ‘C:\printers.csv’

Step4: Create a CSV file shown below from the CSV File extracted in step3.

Create a CSV fileand store the file into c:\printers.csv in new Windows Server 2012 R2.

First row of CSV shown below. Add relevant rows to your CSV file.

PrintServer|Driver|PortName|IPAddress|Sharename|Location|Comment|Printername

Step5: Create a Powershell script as below (Extracted the script from http://poshcode.org/1462)

Open a notepad. Copy from below and paste into the notepad. Rename to CreatePrinter.PS1

function CreatePrinter {

$server = $args[0]

$print = ([WMICLASS]”\\$server\ROOT\cimv2:Win32_Printer”).createInstance()

$print.drivername = $args[1]

$print.PortName = $args[2]

$print.Shared = $true

$print.Sharename = $args[3]

$print.Location = $args[4]

$print.Comment = $args[5]

$print.DeviceID = $args[6]

$print.Put()

}

function CreatePrinterPort {

$server = $args[0]

$port = ([WMICLASS]”\\$server\ROOT\cimv2:Win32_TCPIPPrinterPort”).createInstance()

$port.Name= $args[1]

$port.SNMPEnabled=$false

$port.Protocol=1

$port.HostAddress= $args[2]

$port.Put()

}

$printers = Import-Csv c:\printers.csv

foreach ($printer in $printers) {

CreatePrinterPort $printer.Printserver $printer.Portname $printer.IPAddress

CreatePrinter $printer.Printserver $printer.Driver $printer.Portname $printer.Sharename $printer.Location $printer.Comment $printer.Printername

}

Step6: run the scrip

Log on to new Server 2012/R2 print server. Open PowerShell as an administrator. Run the above script. You have to tweak little bit such as additional drivers. Amendment of print properties. But this is little effort than creating entire print server manually.

Further reading:

install unsigned drivers

Migrate Windows Server 2008/R2 Active Directory to Windows Server 2012/R2 Active Directory

Forest Functional Prerequisites

1. Check to ensure the Domain Functional Level is currently setup to at least Windows 2003 mode.
2. Open the Active Directory Users and Computers console, select the domain via the right mouse button on it.
3. Select Raise Domain Functional Level and review the Current domain functional level reported minimum Windows Server 2003.

RBAC Requirement

Your account must be a member of Domain Admins, Schema Admins and Enterprise Admin.

Systems Requirement

Processor	1vCPU
RAM	4GB
Free disk space requirements	32 GB
Screen resolution	800 x 600 or higher
Network	1 Ethernet
DVD	1

Prepare Windows Machine

1. Download Windows Server 2012 R2.
2. Build Windows Server 2012 R2
3. Join the Server to Domain with a static IP

Prepare Forest and Domain

1. Mount Windows Server 2012 R2 ISO on to the Windows Server 2008 R2 Domain Controller.
2. Log on to Windows 2008 R2 Domain as an administrator.
3. Open command prompt as an administrator, and type adprep /forestprep and press enter.
4. Open command prompt as an administrator, and type adprep /domainprep and press enter.

Install AD DS Role

1. Open the Server Manager console and click on Add roles and features
2. Select Role-based of featured-based installation and select Next.
3. Select the Active Directory Domain Services role.
4. Accept the default features required by clicking the Add Features button.
5. On the Features screen click the Next button.
6. On the Confirm installation selections screen click the Install button. Check off the Restart the destination server automatically if required
7. Click the Close button once the installation has been completed.
8. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and amidst the drop down menu select Promote this server to a domain controller.
9. Select add a Domain Controller into existing domain
10. Ensure the target domain is specified.  If it is not, please either Select the proper domain or enter the proper domain in the field provided.
11. Click Change, provide the required Enterprise Administrator credentials and click the Next button.
12. Define if server should be a Domain Name System DNS server and Global Catalog (GC). Select the Site to which this DC belongs to and define Directory Services Restoration Mode (DSRM) password for this DC
13. Click the Next button on the DNS options screen.
14. Click the Next button once completed.
15. Specify location for AD database and SYSVOL and Click the Next button.
16. Next up is the Schema and Domain preparation.  Alternately, one could run ADPrep prior to commencing these steps, if ADPrep is not detected, it will automatically be completed on your behalf.
17. Finally, the Review Options screen provides a summary of all of the selected options for server promotion. As an added bonus, when clicking View Script button you are provided with the PowerShell script to automate future installations. To click the Next button to continue.
18. Should all the prerequisites pass, click the Install button to start the installation.
19. After it completes the required tasks and the server restarts, the new Windows Server 2012 R2 Domain Controller setup is completed.

Check New Domain Controller in AD Sites and Services

1. Open Active Directory Users and Computers, expand <Your Domain> and click the Domain Controller OU to verify your server is listed.
2. Open DNS Manager, right-click on <Your Domain>, select Properties and then click Name Servers Verify that your server is listed in Name Servers: lists.
3. Open Active Directory Sites and Services; verify that your server is listed in Servers under Default-First-Site-Name.

Check New Domain Controller in DNS Manager

1. Open DNS Manager in new Domain Controller
2. Expand Forward Lookup Zone
3. Select FQDN of domain> Double Click on Name Server (NS)>Properties>Check New Server in Name Server Tab.

Transfer FSMO Role

Now transfer all the FSMO roles from windows 2008 domain controller to windows 2012 R2 domain controller. Log on to windows 2008 domain controller as enterprise admin. Open command prompt type these command as follows:

ntdsutil

roles

connections

connect to server WIN2012R2SERVERNAME

q

Transfer domain naming master

Transfer PDC

Transfer Schema Master

Transfer RID master

Transfer infrastructure master
Change DNS Properties of Servers and Workstation

On each server and workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server scope options and add the IP address of your new Domain Controller as DNS server.

Removing the Windows 2008 R2 domain controller

1. On the Windows 2008 R2 server click Start, Click Run, type dcpromo, then click
2. After the Welcome to the Active Directory Installation Wizard page, be sure to leave the Delete the domain because this server is the last domain controller in the domain
3. On the Administrator Password Page, enter your password and click Next.
4. On the Summary page, click Next, wait for the process to end, then click
5. On the Completing the Active Directory Domain Services Installation Wizard, click
6. On the Active Directory Domain Services Installation Wizard page, click Restart Now to Restart the server.
7. After the reboot is completed, delete the Windows Server 2008 R2 server from the domain to a workgroup and remove any unnecessary record from Active Directory Sites and Services.

Note: Wait for all schema object to be cleaned automatically. Do not rush to clean any schema object or DNS record in new Domain Controller.

Windows Server Patching Best Practices

This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

Patching Requirements

Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

Windows Patch Classification

The following are strongly recommended patches:

1. Critical
2. Security
3. Definition Updates for malware
4. Service packs

Windows Product Classification

It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).

Patching Groups

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

Change Management

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

Backup

Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

• A full backup of all databases on the server.
• A full backup of transaction log and log backup
• A system state backup of the server.
• A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

Application Compatibility

Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

Documentation

Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

Back out Plan

A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

User Notifications

You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

Consistency across Servers

Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

Routine Maintenance Window

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

Patching Tools

I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.

Automate, Automate and Automate!

Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

Standardize Patch Management Processes

Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

Reboot Windows Computer

Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

X86 and X64 Windows Systems

The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

Antivirus and Antispyware

Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

Audit Practices

Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

Log Retention

Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.

Installing Updates on a single Exchange Server

Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

Check for publisher’s certificate revocation

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options.

3. Click the Advanced tab, and then locate the Security section.

4. Clear the Check for publisher’s certificate revocation check box, and then click OK.

5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.

Pre-check before installing

1. Determine which update rollup packages are installed on your Exchange server roles

2. Determine whether any interim updates are installed

3. Review interim updates

4. Obtain the latest update rollup package

5. Apply on a Test Exchange Server

Install Exchange Update

1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.

2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.

Install Exchange Update on DAG Member

To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.

.StartDagServerMaintenance.ps1 <ServerName>

Install the update rollup

1. Close all Exchange management tools.

2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.

3. On the Welcome page, click Next.

4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.

5. On the Completion page, click Finish.

Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed

.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution

When the installation is finished, complete the following tasks:

• Start the Services MMC snap-in, and then verify that all the Exchange-related services are started successfully.
• Log on to Outlook Web App to verify that it’s running correctly.
• Restore Outlook Web App customizations, and then check Outlook Web App for correct functionality.
• After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.
• Check Exchange 2010 version information
• View Update rollup in Control Panel>Programs and Features

Patching Microsoft Failover Cluster

You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

Procedure to install Windows service pack or hotfixes in Windows Server 2003:

1. Check the System event log for errors and ensure proper system operation.
2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
3. Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.
4. Open Cluster Administrator, right-click Node A, and then click Pause Node.
5. Install the service pack on Node A, and then restart the computer.
6. Check the System event log for errors. If you find any errors, troubleshoot them before continuing this process.
7. In Cluster Administrator, right-click Node A, and then click Resume Node.
8. Right-click Node B, and then click Move Group for all groups owned by Node B to move all groups to Node A.
9. In Cluster Administrator, right-click Node B, and then click Pause Node.
10. Install the service pack on Node B, and then restart the computer.
11. Check the system event log for errors. If you find any errors, troubleshoot them before continuing this process.
12. In Cluster Administrator, right-click Node B, and then click Resume Node.
13. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

1. Check the event log for errors and ensure proper system operation.
2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
3. On Node A, Expand Services and Applications, and then click the service or application
4. Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.
5. In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.
6. Install the service pack/hotfixes on Node A, and then restart the computer.
7. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
8. In Failover Cluster Manager snap-in, right-click Node A, and then click Resume.
9. Under Actions (on the right), click Move this service or application to another node, then choose the node.
   Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.
10. Install the service pack/hotfixes on Node B, and then restart the computer.
11. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
12. From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.
13. In Failover Cluster Manager, right-click Node B, and then click Resume.
14. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

You can use the following PowerShell Cmdlet to accomplish the same.

1. Load the module with the command: Import-Module FailoverClusters

2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA

3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group

4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA

5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group

6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB

7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB

Conclusion

It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.

Bottom line

1. Read all related documents.

2. Use a change control process.

3. Apply updates that are needed.

4. Test patches and hotfixes on test environment.

5. Don’t get more than 2 service packs behind.

6. Target non-critical servers first.

7. Service Pack (SP) level consistency.

8. Latest SP instead of multiple hotfixes.

9. Apply only on exact match.

10. Subscribe to Microsoft email notification.

11. Always have a back-out plan.

12. Have a working Backup and schedule production downtime.

13. Consistency across Domain Controllers and application servers.

Additional Readings:

SQL Server failover cluster rolling patch and service pack process

Patch Management on Business-Critical Servers

Windows Server 2012 First Look

Download Windows Server 2012 and have fun!!!

Windows Server 2008 R2 Active Directory Certificate Services Deep Dive

How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN

Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.

;copy from here

[Version]

Signature=”$Windows NT$

[NewRequest]
Subject = “CN=myserver.microsoftguru.com.au” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 2048    ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

; If your client operating system is Win2k8,Win Vista, Win7

; SANs can be included in the Extensions section by using the following text format.

;Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = “{text}”

_continue_ = “dns=Exchange1.microsoftguru.com.au&”

_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”

_continue_ = “url=http://myserver.microsoftguru.com.au&”

_continue_ = “ipaddress=172.31.10.134&”

_continue_ = “email=test@microsoftguru.com.au& “

_continue_ = “upn=test@microsoftguru.com.au&”

_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”    

;Alternatively you create a SAN attribute using a script provided in KB

; use text format or encrypted format of SAN. 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==

[RequestAttributes]

; Multiple alternative names must be separated by an ampersand (&).

;In the example I have shown two different types of SAN. Use only one type of SAN.

;Asterisk *.yourdomainname.com.au is used for Wildcard certificates.

SAN=”dns=exchange1.microsoftguru.com.au&dns=www.microsoftguru.com.au&ipaddress=172.31.10.130″

SAN=”dns=webmail.microsoftguru.com.au&dns=*.microsoftguru.com.au&dns=autodiscover.microsoftguru.com.au”

CertificateTemplate = WebServer

; change template name depending on your environment.

; remove “;” from request.inf file. file ends here.

Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”E=test@microsoftguru.com.au, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.

Open a command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new c:request.inf c:certnew.req

At the command prompt, type the following command, and then press ENTER:

certreq -submit c:certnew.req c:certnew.cer

If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

certreq -submit -config “DC.microsoftguru.com.auMYCA” c:certnew.req c:certnew.cer

Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:

certreq -retrieve RequestID c:certnew.cer

You can also use the -config switch here to retrieve the certificate request from a specific CA.

At the command prompt, type the following command, and then press ENTER:

certreq -accept c:certnew.cer

This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.

How to configure a CA to accept a SAN attribute from a certificate request

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To repair a certificate

1. If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.

2. In the console tree, double-click Personal Certificates, and click the imported CA certificate.

3. On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.

4. Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.

How to enable secure certificate enrolment in certificate authority

Step1: Create request.inf file using WebServer template

Step2: Generate a web server certificate request.req file using certreq.exe tools

certreq -new c:request.inf c:request.req

Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer

Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request

Point the location c:request.req and submit. you will be prompted to save certificate.

Step4: Import the certificate into certificate authority

Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.

Step5: Open IIS Management Console>Select Default Web Site>Click Bindings from Action Pan>Click Add>Select HTTPS>Select the certificate you just imported in previous step. Click OK.

Step6: Run iisreset /restart from command prompt

Step7: Test https://MYCA/certsrv

How to use secure Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

1. Open Internet Explorer. In Internet Explorer, connect to https://MYCA/certsrv.
   
2. Click Request a Certificate.>Click Advanced certificate request.

1. Click request a certificate
2. In the Certificate Template list, click Web Server. Note The CA must be configured to issue Web Server certificates.
3. Provide identifying information as required.
4. In the Name box, type the fully qualified domain name FQDN of the server.
5. Under Key Options, set the following options:
   • Create a new key set
   • CSP: Microsoft RSA SChannel Cryptographic Provider
   • Key Usage: Exchange
   • Key Size: 1024 – 16384
   • Automatic key container name
   • Store certificate in the local computer certificate store

Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

san:dns=dns.name[&dns=dns.name]

Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is myserver.microsoftguru.com.au and the alias are autodiscover.microsoftguru.com.au and webamil.microsoftguru.com.au, these names must be included in the SAN attributes. The resulting attribute string appears as follows:

san:dns=myserver.microsoftguru.com.au&dns=myweb.microsoftguru.com.au&dns=mysite.microsoftguru.com.au

 

Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.

My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode

Paste the contents into base 64-encode. Select web server template. click submit.

Now obtain certificate click yes.

to download certificate with root CA CRL  click Download certificate chain in p7b format

to download only certificate click download certificate and save.

How to configure Private Key in Certificate Authority and Export Private Key

1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage

2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab

3. Click Request Handling Tab>Check Allow private key to be exported

 

4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates

5. Click Ok. Close CA MMC.

6. Create a WebServer Request.inf. Create Request.req file

7. Submit WebServer request to https://myca/certsrv . Download and install certificate.

To export a certificate with the private key

1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.‌

2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.

3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.

Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.

4. Under Export File Format, do one or all of the following, and then click Next.

• To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.
• To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

How to import Private Key

1. Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.

2. Click a folder, click the Action menu, point to All Tasks, and then click Import.

3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.

4. Click Next, and then follow the instructions.

Playing with AD CS Administration Cmdlets in Windows PowerShell

The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.

• Import-Module ServerManager – Imports the Server Manager module that provides the Add-WindowsFeature cmdlet.
• Add-WindowsFeature Adcs-Cert-Authority – Adds the Certification Authority role service binaries.
• Add-WindowsFeature Adcs-Enroll-Web-Pol – Adds the Certificate Enrllment Policy Web Service binaries.
• Add-WindowsFeature Adcs-Enroll-Web-Svc – Adds the Certificate Enrollment Web Service binaries.
• Add-WindowsFeature Adcs-Web-Enrollment – Adds the Certification Authority Web Enrollment role service binaries.
• Add-WindowsFeature Adcs-Device-Enrollment – Adds the Network Device Enrollment Service binaries.
• Add-WindowsFeature Adcs-Online-Cert – Adds the Online Responder role service binaries.
• Get-Command -Module AdcsDeployment – Displays all the cmdlets that are associated with AD CS Deployment.

Disaster recovery or Migrate procedure of Active Directory Certificate Authority:

Moving a CA from one computer to a second computer involves the following procedures:

• Backing up the CA on the first computer
• Restoring the CA on the second computer

You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.

• To upgrade Windows first: Upgrade the first server from Windows Server 2003 to Windows Server 2008, back up the CA on this server, and then restore the CA on a second server running Windows Server 2008.
• To move the CA first: Back up the CA on a computer running Windows Server 2003, restore the CA on a second computer running Windows Server 2003, and then upgrade the second server to Windows Server 2008.

To back up a CA

1. Open the Certification Authority snap-in.

2. In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.

3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.

4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish

5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration

 

6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.

7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.

8. In addition of above steps back up CAPolicy.inf . If your source CA is using a custom CAPolicy.inf file, you should copy the file to the same location as the source CA backup files. The CAPolicy.inf file is located in the %SystemRoot% directory, which is usually C:Windows.

To back up a CA database and private key by using Certutil.exe

1. Log on with local administrative credentials to the CA computer.

2. Open a Command Prompt window.

3. Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.

4. Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.

5. Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.

6. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.

7. After the backup completes, verify the following files in the location you specified:

   • CAName.p12 containing the CA certificate and private key
   • Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb

8. Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.

How to remove the CA role service from the source server

It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.

The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.

Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.

• To remove the CA on a computer running Windows Server 2003, use the Add/Remove Windows Components wizard.
• To remove the CA on a computer running Windows Server 2008, use the Remove Roles Wizard in Server Manager.

To restore a CA on a new server from a backup copy

1. Open Server Manager, and click Active Directory Certificate Services. Click Next two times.

2. On the Select Role Services page, select the Certification Authority check box, and then click Next.

3. On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.

   Note You must have a network connection to a domain controller in order to install an enterprise CA.

4. On the Specify CA Type page, click the appropriate CA type, and then click Next.

5. On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.

6. On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.

7. In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

8. Click Next two times.

9. On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next.  On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.

10. Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.

12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.

13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.

To restore the CA database by using Certutil.exe

1. Log on to the destination server by using an account that is a CA administrator.

2. Open a Command Prompt window.

3. Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.

To Restoring the certificate templates list

Log on with administrative credentials to the destination CA.

1. Open a command prompt window.

2. Type certutil -setcatemplates +<templatelist> and press ENTER.

Important ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

Verify registry location and Configuration parameters are: 

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfiguration

• DBDirectory
• DBLogDirectory
• DBSystemDirectory
• DBTempDirectory
• DBSessionCount

HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfigurationCAname

• CACertPublicationURLs
• CRLPublicationURLs

 

Granting permissions on AIA and CDP containers

If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.

To grant permissions on the AIA and CDP containers

1. Open Active Directory Sites and Services> In the console tree, click the top node.

2. On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.

3. In the details pane, right-click the name of the source CA, and then click Properties.

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.

6. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

7. In the console tree, expand CDP, and then click the name of the source server.

8. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.

6. Repeat steps 13 through 18 for each cRLDistributionPoint item.

Additional procedures for failover clustering

• CA Role must be installed on both nodes

• Stop Active Directory Certificate Services from Services.msc

• Ensure shared storage is online.

• certificate store and logs must be placed in shared storage.

To verify shared storage is online

1. Log on to the destination server. Start Server Manager.

2. In the console tree, double-click Storage, and click Disk Management.

3. Ensure that the shared storage is online and assigned to the node you are logged on to.

To configure AD CS as a cluster resource

Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.

1. Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.

2. In the list of services and applications, select Generic Service, and click Next.

3. In the list of services, select Active Directory Certificate Services, and click Next.

4. Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.

5. To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.

6. Click Finish to complete the failover configuration for AD CS.

7. In the console tree, double-click Services and Applications, and select the newly created clustered service.

8. In the details pane, click Generic Service. On the Action menu, click Properties.

9. Change Resource Name to Certification Authority, and click OK.

If you use a hardware security module (HSM) for your CA, complete the following procedure.

To create a dependency between a CA and the network HSM service

1. Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.

2. In the details pane, select the previously created name of the clustered service.

3. On the Action menu, click Add a resource, and then click Generic Service.

4. In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.

5. Under Services and Applications in the console tree, click the name of the clustered services.

6. In the details pane, select the newly created Generic Service. On the Action menu, click Properties.

7. On the General tab, change the service name if desired, and click OK. Verify that the service is online.

8. In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.

9. On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.

To grant permissions on public key containers: If you are migrating to a failover cluster, complete the following procedures to grant all cluster nodes permissions to on the following AD DS containers:

• The AIA container
• The Enrollment container
• The KRA container

To grant permissions on public key containers in AD DS

1. Open Active Directory Sites and Services. In the console tree, click the top node.

2. On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.

3. In the details pane, right-click the name of the source CA, and then click Properties.

4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

5. Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

6. In the console tree, click Enrollment Services.  In the details pane, right-click the name of the source CA, and then click Properties.

7. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.

8. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

9. In the console tree, click KRA.

10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.

11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.

To check the DNS name for a clustered CA in AD DS

1. Log on to the active cluster node as a member of the Enterprise Admins group.

2. Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.

3. In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.

4. Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.

5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster. 

Configuring CRL distribution points for failover clusters

When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.

The following procedures must be performed on the active cluster node.

To change the configured CRL distribution points

1. Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.

2. Click the name of the CA. In the right pane, double-click CRLPublicationURLs.

3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.”  The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.

4. Open a command prompt, type certutil -CRL, and press ENTER.

5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.

6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.

To setup Audit on CA. Open CA MMC>Select the Certificate Server>Right Click>Click Property

Check desired Events to audit>Click Ok. restart CA Services.

To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.

To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.

Additional references

How to extend root certificate authority and subordinate CA

Configure Microsoft Fail over Cluster

Active Directory Certificate Services Overview