References
The following procedure apply if you have an existing WSUS server installed on a Windows 2008 R2 OS with SQL Express and you wish to migrate to Windows Server 2012 R2 WSUS server and a separate backend database server.
Step1: Backup SQL DB of Old WSUS Server
Log on to existing WSUS server. Open SQL Management Studio>Connect to DB>Right Click SUSDB>backup full database.
Step2: Export metadata from old WSUS Server
The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group and WSUS Administrator Group on the WSUS server to export or import metadata. Both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.
Open command prompt as an administrator>go to C:\program Files\Update Services\Tools
Issue wsusutil.exe export c:\export.cab c:\export.log command
Move the export package you just created to the new Microsoft WSUS Server.
If you have .netFramework v.2 or v.4 but not configured in IIS Application. Then most likely above command will fail giving you some grief. Here is a solution for this.
Verify that WSUS is configured to use the .NET4 libraries in IIS>Application Pool
Create a file named wsusutil.exe.config in C:\Program Files\Update Services\Tools
Edit the file and add the following:
<configuration><startup><supportedRuntime version=”v4.0.30319″ /></startup></configuration>
If issue persists, please try to unapprove KB3020369 in WSUS Console then try again.
Re-run the wsusutil command but instead of making a CAB file make a .xml.gz file and all should be well.
Step3: Build New WSUS Server
Virtualize a new Windows Server 2012 R2 Server. Setup static IP, Join the server to domain. Install .NetFramework 4 in new server.Do not Configure WSUS at this stage. Go to Step4.
Step4: Restore SQL DB in New SQL Server (Remote and/or Local )
Log on to SQL Server. Open SQL Management Studio>Create a Database named SUSDB
Restore old SUSDB to new SUSDB with override option.
Assign sysadmin, setupadmin role to the person who will install WSUS role in new WSUS server.
Step5: Install WSUS Role & Run Initial Configuration Wizard.
Installation of WSUS
Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group.
In Server Manager, click Manage, and then click Add Roles and Features.
On the Before you begin page, click Next.
In the Select installation type page, confirm that Role-based or feature-based installation option is selected and click Next.
On the Select destination server page, choose where the server is located (from a server pool or from a virtual hard disk). After you select the location, choose the server on which you want to install the WSUS server role, and then click Next.
On the Select server roles page, select Windows Server Update Services. Add features that are required for Windows Server Update Services opens. Click Add Features, and then click Next.
On the Select features page. Retain the default selections, and then click Next.
On the Windows Server Update Services page, click Next.
On the Select Role Services page, Select Windows Server Update Services and Database, and then click Next.
On the Content location selection page, type a valid location to store the updates. For example, type E:\WSUS as the valid location.
Click Next. The Web Server Role (IIS) page opens. Review the information, and then click Next. In Select the role services to install for Web Server (IIS), retain the defaults, and then click Next.
On the Confirm installation selections page, review the selected options, and then click Install. The WSUS installation wizard runs. This might take several minutes to complete.
Once WSUS installation is complete, in the summary window on the Installation progress page, click Launch Post-Installation tasks. The text changes, requesting: Please wait while your server is configured. When the task has finished, the text changes to: Configuration successfully completed. Click Close.
In Server Manager, verify if a notification appears to inform you that a restart is required. This can vary according to the installed server role. If it requires a restart make sure to restart the server to complete the installation.
Post Configuration
Open Server Manager>Add/Remove program. It will provide you with previous installation Wizard. Launch Post Configuration Wizard.
On the Welcome page, click Next.
On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.
Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.
On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location (E:\WSUS) in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.
Make your selection, and then click Next.
On the Database Options page, you select the software used to manage the WSUS database. Type <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Simply type remote or local SQL Server Name and then click Next.
On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.
On the Ready to Install Windows Server Update Services page, review your choices, and then click Next.
The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.
Step6: Match the Advanced Options on the old WSUS Server & the new WSUS Server
Ensure that the advanced synchronization options for express installation files and languages on the old server match the settings on the new server by following the steps below:
Step7: Copy Updates from File System of the old WSUS Server to the new WSUS server
To back up updates from file system of old WSUS server to a file, follow these steps:
To restore updates from a file to the file system of the new server, follow these steps:
Alternative option would be use FastCopy Software. Copy and paste WSUS content from old server to new server.
Step8: Copy Metadata from the Database on the old WSUS Server to the new WSUS Server
To import metadata into the database of the new Microsoft Windows Server Update Services Server, follow these steps:.
Copy export.xml.gz or export.cab file from old server to new server using copy/Paste or FastCopy software.
Note: It can take from 3 to 4 hours for the database to validate content that has just been imported.
At a command prompt on the new WSUS server, navigate to the directory that contains WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For example: wsusutil.exe import export.cab import.log or wsusutil.exe import export.xml.gz export.log)
Step9: Point your Clients to the new WSUS Server
Next you need to change the Group policy and make it point top the new server. To redirect Automatic Updates to a WSUS server, follow these steps:
Step10: Invoke GPUpdate
Open PowerShell command prompt as an administrator in any computer. Run Invoke-GPUpdate Servername to synchronise server with new WSUS Server.
Bulk Migration of Printer from Windows Server 2008/R2 to Windows Server 2012/R2
The following steps are from those who would like to migrate print server from legacy Server 2008/R2 to Windows Server 2012/R2. This steps will bring new drivers and avoid bringing old corrupt drivers and configuration into new systems. If you utilize print migration wizard then you may bring legacy corrupt driver into new systems. This steps also helpful if you are using Citrix Universal Print Driver.
Step1: Download correct and latest Generic/Universal/Global print driver. HP called Universal. Other manufacturer may call global or generic driver. Help yourself from Bing.
Step2: Install Generic Driver.
Open Server manager>Print Management>print Servers>Server name>Drivers.
Right Click and add x64 & x86 drivers.
Step3: Extract Legacy print Configuration.
Open PowerShell as an administrator. Run the following command.
$printserver = “printservername.domain.com”
Get-WMIObject -class Win32_Printer -computer $printserver | Select Name,DriverName,PortName,sharename,location,comment | Export-CSV -path ‘C:\printers.csv’
Step4: Create a CSV file shown below from the CSV File extracted in step3.
Create a CSV fileand store the file into c:\printers.csv in new Windows Server 2012 R2.
First row of CSV shown below. Add relevant rows to your CSV file.
PrintServer|Driver|PortName|IPAddress|Sharename|Location|Comment|Printername
Step5: Create a Powershell script as below (Extracted the script from http://poshcode.org/1462)
Open a notepad. Copy from below and paste into the notepad. Rename to CreatePrinter.PS1
function CreatePrinter {
$server = $args[0]
$print = ([WMICLASS]”\\$server\ROOT\cimv2:Win32_Printer”).createInstance()
$print.drivername = $args[1]
$print.PortName = $args[2]
$print.Shared = $true
$print.Sharename = $args[3]
$print.Location = $args[4]
$print.Comment = $args[5]
$print.DeviceID = $args[6]
$print.Put()
}
function CreatePrinterPort {
$server = $args[0]
$port = ([WMICLASS]”\\$server\ROOT\cimv2:Win32_TCPIPPrinterPort”).createInstance()
$port.Name= $args[1]
$port.SNMPEnabled=$false
$port.Protocol=1
$port.HostAddress= $args[2]
$port.Put()
}
$printers = Import-Csv c:\printers.csv
foreach ($printer in $printers) {
CreatePrinterPort $printer.Printserver $printer.Portname $printer.IPAddress
CreatePrinter $printer.Printserver $printer.Driver $printer.Portname $printer.Sharename $printer.Location $printer.Comment $printer.Printername
}
Step6: run the scrip
Log on to new Server 2012/R2 print server. Open PowerShell as an administrator. Run the above script. You have to tweak little bit such as additional drivers. Amendment of print properties. But this is little effort than creating entire print server manually.
Further reading:
Forest Functional Prerequisites
RBAC Requirement
Your account must be a member of Domain Admins, Schema Admins and Enterprise Admin.
Systems Requirement
Processor | 1vCPU |
RAM | 4GB |
Free disk space requirements | 32 GB |
Screen resolution | 800 x 600 or higher |
Network | 1 Ethernet |
DVD | 1 |
Prepare Windows Machine
Prepare Forest and Domain
Install AD DS Role
Check New Domain Controller in AD Sites and Services
Check New Domain Controller in DNS Manager
Transfer FSMO Role
Now transfer all the FSMO roles from windows 2008 domain controller to windows 2012 R2 domain controller. Log on to windows 2008 domain controller as enterprise admin. Open command prompt type these command as follows:
ntdsutil
roles
connections
connect to server WIN2012R2SERVERNAME
q
Transfer domain naming master
Transfer PDC
Transfer Schema Master
Transfer RID master
Transfer infrastructure master
Change DNS Properties of Servers and Workstation
On each server and workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server scope options and add the IP address of your new Domain Controller as DNS server.
Removing the Windows 2008 R2 domain controller
Note: Wait for all schema object to be cleaned automatically. Do not rush to clean any schema object or DNS record in new Domain Controller.
This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.
Patching Requirements
Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.
Windows Patch Classification
The following are strongly recommended patches:
Windows Product Classification
It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).
Patching Groups
Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:
1. UAT (UAT1, UAT2, etc)
2. Test Environment (Test1, Test2, etc)
3. Development Environment (Dev1, Dev2 etc)
4. Production (Prod1, Prod2, etc)
If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.
Change Management
System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.
Backup
Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.
Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:
Application Compatibility
Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.
Documentation
Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.
Back out Plan
A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.
User Notifications
You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.
Consistency across Servers
Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.
Routine Maintenance Window
A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.
Patching Tools
I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.
Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.
Automate, Automate and Automate!
Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.
Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.
Reboot Windows Computer
Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.
X86 and X64 Windows Systems
The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.
Antivirus and Antispyware
Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.
Audit Practices
Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.
Log Retention
Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.
Installing Updates on a single Exchange Server
Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information
Check for publisher’s certificate revocation
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab, and then locate the Security section.
4. Clear the Check for publisher’s certificate revocation check box, and then click OK.
5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.
Pre-check before installing
1. Determine which update rollup packages are installed on your Exchange server roles
2. Determine whether any interim updates are installed
3. Review interim updates
4. Obtain the latest update rollup package
5. Apply on a Test Exchange Server
Install Exchange Update
1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.
2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.
Install Exchange Update on DAG Member
To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.
.StartDagServerMaintenance.ps1 <ServerName>
Install the update rollup
1. Close all Exchange management tools.
2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.
3. On the Welcome page, click Next.
4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.
5. On the Completion page, click Finish.
Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed
.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution
When the installation is finished, complete the following tasks:
Patching Microsoft Failover Cluster
You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.
Procedure to install Windows service pack or hotfixes in Windows Server 2003:
Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:
You can use the following PowerShell Cmdlet to accomplish the same.
1. Load the module with the command: Import-Module FailoverClusters
2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA
3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group
4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA
5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group
6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB
7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB
It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.
Bottom line
1. Read all related documents.
2. Use a change control process.
3. Apply updates that are needed.
4. Test patches and hotfixes on test environment.
5. Don’t get more than 2 service packs behind.
6. Target non-critical servers first.
7. Service Pack (SP) level consistency.
8. Latest SP instead of multiple hotfixes.
9. Apply only on exact match.
10. Subscribe to Microsoft email notification.
11. Always have a back-out plan.
12. Have a working Backup and schedule production downtime.
13. Consistency across Domain Controllers and application servers.
SQL Server failover cluster rolling patch and service pack process
Patch Management on Business-Critical Servers
Download Windows Server 2012 and have fun!!!
How to use the Certreq.exe utility to create and submit a certificate request that includes a SAN
Create a text file using notepad. copy the following content and paste inside the text file and save as request.inf.
;copy from here
[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “CN=myserver.microsoftguru.com.au” ; must be the FQDN of domain controller
EncipherOnly = FALSE ; only for Win2k3 & WinXP
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 2048 ; Common key sizes: 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC ; or PKCS10
; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Win2k8,Win Vista, Win7
; SANs can be included in the Extensions section by using the following text format.
;Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = “{text}”
_continue_ = “dns=Exchange1.microsoftguru.com.au&”
_continue_ = “dn=CN=Exchange1,OU=My Servers,DC=microsoftguru,DC=com,DC=au&”
_continue_ = “url=http://myserver.microsoftguru.com.au&”
_continue_ = “ipaddress=172.31.10.134&”
_continue_ = “email=test@microsoftguru.com.au& “
_continue_ = “upn=test@microsoftguru.com.au&”
_continue_ = “guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&”
;Alternatively you create a SAN attribute using a script provided in KB
; use text format or encrypted format of SAN. 2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==
[RequestAttributes]
; Multiple alternative names must be separated by an ampersand (&).
;In the example I have shown two different types of SAN. Use only one type of SAN.
;Asterisk *.yourdomainname.com.au is used for Wildcard certificates.
SAN=”dns=exchange1.microsoftguru.com.au&dns=www.microsoftguru.com.au&ipaddress=172.31.10.130″
SAN=”dns=webmail.microsoftguru.com.au&dns=*.microsoftguru.com.au&dns=autodiscover.microsoftguru.com.au”
CertificateTemplate = WebServer
; change template name depending on your environment.
; remove “;” from request.inf file. file ends here.
Important Note: Some third-party certification authorities (For examples ISPs who sell SSL certificate) may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=”E=test@microsoftguru.com.au, CN=<FQDN of server>, OU= My Servers, O=Microsoftguru, L=Perth, S=WA, C=AU.” Amend Request.inf as per your need. For a standard certificate request you can omit SAN, [Extensions] and[EnhancedKeyUsageExtension] section.
Open a command prompt. At the command prompt, type the following command, and then press ENTER:
certreq -new c:request.inf c:certnew.req
At the command prompt, type the following command, and then press ENTER:
certreq -submit c:certnew.req c:certnew.cer
If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.
certreq -submit -config “DC.microsoftguru.com.auMYCA” c:certnew.req c:certnew.cer
Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:
certreq -retrieve RequestID c:certnew.cer
You can also use the -config switch here to retrieve the certificate request from a specific CA.
At the command prompt, type the following command, and then press ENTER:
certreq -accept c:certnew.cer
This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in previous step.
certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
If you are using a network HSM, complete steps 8 through 10 to repair the association between the imported CA certificate and the private key that is stored in the HSM.
In the console tree, double-click Personal Certificates, and click the imported CA certificate.
On the Action menu, click Open. Click the Details tab, copy the serial number to the Clipboard, and then click OK.
Open a Command Prompt window, type certutil –repairstore My “{Serialnumber}” and then press ENTER.
How to enable secure certificate enrolment in certificate authority
Step1: Create request.inf file using WebServer template
Step2: Generate a web server certificate request.req file using certreq.exe tools
certreq -new c:request.inf c:request.req
Step3: Submit the request.req file using certreq.exe or CA Management Console. Save certificate.cer
Open CA MMC>Select CA server>Right click on CA Server>Click All Task>Submit a new request
Point the location c:request.req and submit. you will be prompted to save certificate.
Step4: Import the certificate into certificate authority
Start Microsoft Management Console (MMC). Add the Certificates snap-in that manages certificates on the local computer.
Expand Certificates (Local Computer), expand Personal, and then expand Certificates. Right Click Import certificate you saved in previous steps.
Step6: Run iisreset /restart from command prompt
Step7: Test https://MYCA/certsrv
To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:
Under Advanced Options, set the request format to CMC. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
san:dns=dns.name[&dns=dns.name]
Multiple DNS names are separated by an ampersand (&). For example, if the name of the server is myserver.microsoftguru.com.au and the alias are autodiscover.microsoftguru.com.au and webamil.microsoftguru.com.au, these names must be included in the SAN attributes. The resulting attribute string appears as follows:
san:dns=myserver.microsoftguru.com.au&dns=myweb.microsoftguru.com.au&dns=mysite.microsoftguru.com.au
Click Submit. If you see the Certificate Issued Web page, click Install this Certificate.
My preferred way to request a certificate is to create a .req file shown in previous steps. open .req file in a notepad and copy the contents. click submit a certificate request by using base 64-encode
Paste the contents into base 64-encode. Select web server template. click submit.
Now obtain certificate click yes.
to download certificate with root CA CRL click Download certificate chain in p7b format
to download only certificate click download certificate and save.
How to configure Private Key in Certificate Authority and Export Private Key
1. Open CA MMC from Administrative Tools>Right Click on Certificate Template>Click Manage
2. Select WebServer Template>Right Click on WebServer Template>Click Duplicate Template>Select Win2k3 or Win2k8 OS Version>Type Template Name as WebServer With Private Key in General Tab
3. Click Request Handling Tab>Check Allow private key to be exported
4. Click Security Tab> Allow appropriate security for the person who will enroll and export the certificates
5. Click Ok. Close CA MMC.
6. Create a WebServer Request.inf. Create Request.req file
7. Submit WebServer request to https://myca/certsrv . Download and install certificate.
To export a certificate with the private key
1.Open Certificate Manager by clicking the Start button>Search Box>Type certmgr.msc, and then pressing ENTER.
2. Go to Certificates-Current UserPersonalCertificates>Select Certificate you would like to export.
3. On the Action menu, point to All Tasks, and then click Export. In the Certificate Export Wizard, click Yes, export the private key.
Note that this option will appear only if the private key is marked as exportable in request.inf file and you have access to the private key.
4. Under Export File Format, do one or all of the following, and then click Next.
5. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.
6. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.
How to import Private Key
Click Start Menu>Search Box>Click mmc.msc>Click Certificates>Add Computer Account>Click OK.
Click a folder, click the Action menu, point to All Tasks, and then click Import.
3. Browse to the location where you exported certificates>Select Certificate>Provide password to import the certificate.
4. Click Next, and then follow the instructions.
Playing with AD CS Administration Cmdlets in Windows PowerShell
The following Windows PowerShell® cmdlets that are for use in administering the Active Directory Certificate Services (AD CS) certification authority (CA) role service in Windows Server® “8” Beta.
Disaster recovery or Migrate procedure of Active Directory Certificate Authority:
You must be a member of domain admins security group to perform the following operation. To move a CA from a server that is running Windows Server 2003 to a server that is running Windows Server 2008, you can either complete the Windows upgrade first and then move the CA or move the CA first and then upgrade Windows.
To back up a CA
Open the Certification Authority snap-in.
In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
3. Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Specify the backup location, and then click Next.
4. Type a password for the CA private key backup file, and type it a second time to confirm the password. then click Finish
5. Click Start, click Run, type regedit, and then click OK. Locate and right-click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration
6. Click Export. Save the registry file in the CA backup folder that you used for the Certification Authority Backup Wizard.
7. Backup the CA logs from the D:WinntSystem32Certlog folder, you must restore the backup to the D:WinntSystem32Certlog folder. After you restore the backup, you can move the CA database files to a different location.
Log on with local administrative credentials to the CA computer.
Open a Command Prompt window.
Type Certutil.exe –backupdb <BackupDirectory> and press ENTER.
Type Certutil.exe –backupkey <BackupDirectory> and press ENTER.
Type a password at the prompt, and press ENTER. You must retain a copy of the password to access the key during CA installation on the destination server.
Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service. The service must be stopped to prevent issuance of additional certificates.
After the backup completes, verify the following files in the location you specified:
Copy all backup files to a location that is accessible from the destination server; for example, a network share or removable media.
How to remove the CA role service from the source server
It is important to remove the CA role service from the source server after completing backup procedures and before installing the CA role service on the destination server. Enterprise CAs and standalone CAs that are domain members store in Active Directory Domain Services (AD DS) configuration data that is associated with the common name of the CA. Removing the CA role service also removes the CA’s configuration data from AD DS. Because the source CA and destination CA share the same common name, removing the CA role service from the source server after installing the CA role service on the destination server removes configuration data that is required by destination CA and interferes with its operation.
The CA database, private key, and certificate are not removed from the source server by removing the CA role service. Therefore, reinstalling the CA role service on the source server restores the source CA if migration fails and performing a rollback is required.
Highly Recommended Tasks. Staging a certificate restore is most import part before you decommission existing certificate server. Create a isolated environment similar to your Active Directory Domain Services. Add new Certificate Authority and restore the database and private key. test certificates, templates, registry and private key whether it is similar to your Production infrastructure. Once you happy and restoration tasks complete successfully you can decommission certificate authority. if source certificate authority is virtual than I would recommend you to take a snapshot before you remove the CA role.
To restore a CA on a new server from a backup copy
Open Server Manager, and click Active Directory Certificate Services. Click Next two times.
On the Select Role Services page, select the Certification Authority check box, and then click Next.
On the Specify Setup Type page, click either Standalone or Enterprise, and then click Next.
Note You must have a network connection to a domain controller in order to install an enterprise CA.
On the Specify CA Type page, click the appropriate CA type, and then click Next.
On the Set Up Private Key page, click Use existing private key, click Select a certificate and use its associated private key, and then click Next.
On the Select Existing Certificate page, click Import, type the path of the .P12 file in the backup folder, type the password that you chose in the previous procedure to protect the backup file, and then click OK.
In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.
Click Next two times.
On the Configure Certificate Database page, specify the same location for the certificate database and certificate database log as on the previous CA computer. Click Next. On the Confirm Installation Options page, review all of the configuration settings> click Install and wait until the setup process has finished.
Locate the registry file that you saved in the backup procedure, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. Verify the registry in the following location. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc
11. Open the Services snap-in to stop the Active Directory Certificate Services (AD CS) service.
12. Open the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA to open the Certification Authority Restore Wizard.
13 Click Next, and select the Private key and CA certificate and Certificate database and certificate database log check boxes. Type the backup folder location, and then click Next. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. Click Finish, and then click Yes to restart AD CS when the CA database is restored.
Log on to the destination server by using an account that is a CA administrator.
Open a Command Prompt window.
Type certutil.exe -f -restoredb <CA Database Backup Directory> and press ENTER.
Log on with administrative credentials to the destination CA.
Open a command prompt window.
Type certutil -setcatemplates +<templatelist> and press ENTER.
Important ! Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.
Verify registry location and Configuration parameters are:
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfiguration
HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicescertsvcConfigurationCAname
If the name of the destination server is different from the source server, the destination server must be granted permissions on the source server’s CDP and AIA containers in AD DS to publish CRLs and CA certificates. Complete the following procedure in the case of a server name change.
Open Active Directory Sites and Services> In the console tree, click the top node.
On the View menu, click Show services node. In the console tree, expand Services, expand Public Key Services, and then click AIA.
In the details pane, right-click the name of the source CA, and then click Properties.
Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.
Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply.
If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.
In the console tree, expand CDP, and then click the name of the source server.
In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties.
4. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.
5. Type the name of the destination server, and click OK. In the Allow column, click Full Control, and click Apply. If the source server object is displayed in Group or user names, click the name of the source server, then click Remove, and then click OK.
6. Repeat steps 13 through 18 for each cRLDistributionPoint item.
To verify shared storage is online
Log on to the destination server. Start Server Manager.
In the console tree, double-click Storage, and click Disk Management.
Ensure that the shared storage is online and assigned to the node you are logged on to.
Follow Configure Microsoft Fail over Cluster URL to create and configure a cluster.
Open Failover Cluster Manager from Administrative Tools> Right Click on newly created cluster node>click Configure a service or Application. If the Before you begin page appears, click Next.
In the list of services and applications, select Generic Service, and click Next.
In the list of services, select Active Directory Certificate Services, and click Next.
Specify a service name, and click Next. Select the disk storage that is still mounted to the node, and click Next.
To configure a shared registry hive, click Add, type SYSTEMCurrentControlSetServicesCertSvc, and then click OK. Click Next twice.
Click Finish to complete the failover configuration for AD CS.
In the console tree, double-click Services and Applications, and select the newly created clustered service.
In the details pane, click Generic Service. On the Action menu, click Properties.
Change Resource Name to Certification Authority, and click OK.
If you use a hardware security module (HSM) for your CA, complete the following procedure.
Open the Failover Cluster Management snap-in. In the console tree, click Services and Applications.
In the details pane, select the previously created name of the clustered service.
On the Action menu, click Add a resource, and then click Generic Service.
In the list of available services displayed by the New Resource wizard, click the name of the service that was installed to connect to your network HSM. Click Next twice, and then click Finish.
Under Services and Applications in the console tree, click the name of the clustered services.
In the details pane, select the newly created Generic Service. On the Action menu, click Properties.
On the General tab, change the service name if desired, and click OK. Verify that the service is online.
In the details pane, select the service previously named Certification Authority. On the Action menu, click Properties.
On the Dependencies tab, click Insert, select the network HSM service from the list, and click OK.
Open Active Directory Sites and Services. In the console tree, click the top node.
On the View menu, click Show services node. In the console tree, expand Services, then Public Key Services, and then click AIA.
In the details pane, right-click the name of the source CA, and then click Properties.
Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.
Type the computer account names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.
In the console tree, click Enrollment Services. In the details pane, right-click the name of the source CA, and then click Properties.
Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK. Type the computer account names of all cluster nodes, and click OK.
In the Allow column, select the Full Control check box next to each cluster node, and click OK.
In the console tree, click KRA.
10. In the details pane, right-click the name of the source CA, then click Properties. Click the Security tab, and then click Add. Click Object Types, click Computers, and then click OK.
11. Type the names of all cluster nodes, and click OK. In the Allow column, select the Full Control check box next to each cluster node, and click OK.
Log on to the active cluster node as a member of the Enterprise Admins group.
Open ADSI Edit. On the Action menu, click Connect to. click Configuration, and click OK.
In the console tree, expand ConfigurationServicesPublic Key ServicesEnrollment Services.
Double click on CN and check check dNSHostName mentioned same as Failover Cluster Management in the Failover Cluster Manager snap-in, and click OK. if not add proper FQDN DNS of cluster as shown on the screenshot. Click OK to save changes.
5. Open dnsmgmt.msc from the start menu>run. Verify a Host (A) DNS record has been added with the same name and IP address of the Cluster.
Configuring CRL distribution points for failover clusters
When a CA is running on a failover cluster, the server’s short name must be replaced with the cluster’s short name in the CRL distribution point and authority information access locations. To publish the CRL in AD DS, the CRL distribution point container must be added manually.
The following procedures must be performed on the active cluster node.
Open registry edit and Locate the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration.
Click the name of the CA. In the right pane, double-click CRLPublicationURLs.
3. In the second line, replace %2 with the service name specified in step 6 of the procedure “To configure AD CS as a cluster resource.” The service name also appears in the Failover Cluster Management snap-in under Services and Applications. Restart the CA service.
4. Open a command prompt, type certutil -CRL, and press ENTER.
5. To create the CRL distribution point container in AD DS At a command prompt, type cd %windir%System32CertSrvCertEnroll, and press ENTER. The CRL file created by the certutil –CRL command should be located in this directory.
6. To publish the CRL in AD DS, type certutil -f -dspublish “CRLFile.crl” and press ENTER.
Check desired Events to audit>Click Ok. restart CA Services.
To deploy Enterprise root CRL using GPO. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click on trusted Root Certificates>Click Import>Locate root certificate and import the certificate. Click Close.
To request Automatic Certificate request. Create a new group policy or use and existing GPO. Click Edit. Expand to Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies. Right Click Automatic Certificate Request >Click New >Click Automatic certificate Request>Configure Certificate template and request. Follow the screenshot. Note that Auto Enroll must be allowed in the security tab of certificate template in CA.
Additional references
How to extend root certificate authority and subordinate CA
Microsoft Exchange Server 2010 SP2 is available to download from Microsoft download center. Download link and benefits of SP2 is here. Read systems requirement and release notes before you proceed installation. You may need to backup/snapshot(if virtualized) exchange servers before final installation.
Energy Efficiency at Microsoft
Microsoft Lync Server is the next generation unified communication server. In this article, I will design and deploy Lync Server 2010 on a test platform. You can follow through this article to make up your own Lync Server and modify … Continue reading
Systems Requirement:
Installation of System Center Virtual Machine Manager 2012:
System Center Virtual Machine Manager 2012 Beta – Evaluation (VHD)
To install an Enterprise Root CA, build a windows server 2008 and join domain. Log on as domain admin. Add and install Web server (IIS) role in that server as pre-requisite. Once finish, add active directory certificate services role. Select Enterprise root CA while installing CA. More detailed installation guides are in these screen shots.
To install a standalone root CA, follow the similar steps with just one exception that standalone CA isn’t part of Active Directory domain. You have manually import certificate request to standalone CA server which I will explain later part of this article.
To secure CA management and delegating management authority, you can segregate roles in certificate authority. There five roles available to manage CA. They are CA Administrator, CA Manager, CA Auditor, Backup operator and enrollees. To assign these roles, you need to log on CA as an administrator and open CA Management Console. Right mouse click on CA server name>Click on property. Go to security Tab and add specific groups to this windows and assign desired roles. The following screen shots are illustrate these options.
before you can enroll certificate, install an SSL certificate for CA itself and provide an FQDN for users and computer to request certificates.
Open IIS management console in CA authority Server. Click on CA server>Click on Create a Domain certificate on right hand side Action pan.
Click Finish to complete request.
Click on Sites>click Bindings
Click Add>Select SSL>Select IP & Port 443
Select Certificate you just created.
Now Create a CNAME in DNS server such as CA.microsoftguru.com.au
Open IE browser to test SSL certificate request.
There are default certificate templates in CA. The templates are stored in Active Directory for use by every CA in the forest. When deploying certificates duplicate a template (by right click on certificate template>Manage) similar to your purpose, name the template, setup certificate period, publish in Active Directory, setup security on the security tab. Now right click on certificate template>Click New>Click on Certificate Template to Issue. You must select appropriate group in the security tab of certificate property to safeguard this certificate from different group of users.
Prepare a Windows Server 2008. Depending on your deployment topology, Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services. Click Next two times. Now select following in the next steps.
Setup Type: Standalone or Enterprise
CA Type: Subordinate
Private key: Create a New Private Key
On the Request a certificate step, you have have two options. If your Enterprise root CA is part of domain, you can request a subordinate CA automatically or manually. However if your enterprise root CA is standalone or subordinate CA is standalone then you have generate a request for certificate and submit this request to root CA. In this article, I am requesting certificate manually because you can perform automated request.
Click Next and Finish installation.
Open Requested Certificate and copy entire content in the notepad. Open IE browser and browse Root CA cert enroll page such as https://ca.microsoftguru.com.au/certsrv
Click on Request a certificate, Click on Advanced certificate request.
Click on submit a certificate request..
Paste the certificate request on Base 64 encoded box and select subordinate CA. Click submit.
Now download requested certificate and save it on subordinate CA.
Log on to subordinate CA and open CA management console>Click All Tasks>Click Start CA. You will be prompted to import subordinate certificate from root CA. Browse the location of certificate you exported/saved in previous steps and select certificate. Your subordinate CA will start now.
Start Menu>run>Services.msc>Check Active Directory Certificate Services set to automatic. Now Manage and secure CA as mentioned in this article.
If your root CA is standalone than you can take your root CA offline now. Open Event Viewer by simply, typing eventvwr.exe on Start menu>run. Check AD CS is functioning properly.
To setup auditing in AD CS, right click on AD CS server>property>Auditing Tab>Select preferred Auditing for CA Server.
To restrict an enrollment agent in CA, Open CA Console>Right Click on subordinate CA Server>Property>Click on Enrollment Agent Tab Click on restrict Enrollment Agent. here you can add groups or users that are allowed to request certificate on behalf of another client and remove everyone. similarly you can disallow everybody to request an agent enrollment. Note that Enrollment agent can only request certificate but can not approve or revoke certificate.
To setup pending request in CA, log on to CA and open CA console. Right mouse click on CA server>Click property>Click Policy Module>Click Properties>Click Set certificate request status to pending.
Restart AD CS services.
Create a text file and rename this file such as newrequest.inf and copy and paste inside the file following contents
;…………………………………………
[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “CN=<DC fqdn>” ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;……………………………..
OR
;……………………………..
[NewRequest]
Subject=”CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>”
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
;……………………………………….
Here, CN= FQDN of server where requested certificate will be installed.
Now type following command, and then press ENTER:
CertReq –New –f NewRequest.inf NewCert.req
To submit new request type the following command, and then press ENTER:
certreq -submit -config “FQDN of the YourCAYour CA Name” certnew.req certnew.cer
Now approve the certificate from CA management console and retrieve certificate using following command
certreq -retrieve RequestID certnew.cer
type the following command to accept certificate, and then press ENTER:
certreq -accept newcert.cer
Removing Certificate Authority: Log on to the system as the user who installed the certification authority. Server Manager>Roles>Remove Roles>Select AD CS and Remove CA. Restart Decommissioned CA Server. To Remove remaining information about this CA from Active Directory, type following from elevated command prompt
certutil.exe -dsdel CAName and press ENTER
Dealing with Event ID 100, 7024, 48 :
Issue new certificate revocation list by issuing certutil.exe –crl command from elivated command prompt.
Type certutil.exe -setreg CALogLevel 2 and press enter to change log level registry.
Disable revocation list checkup type following from command prompt and press enter.
certutil –setreg caCRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE