Search This Blog

Sunday, January 16, 2011

After you apply Exchange 2007 Service Pack 3 - replace your self-signed server certificate

Even though your services will not be interrupted with an expired server certificate. It is recommended that you replace you invalid/expired cert to eliminate the error messages logged in your eventviewer and also your monitoring agents like SCOM.
If you're running Exchange SP1 or SP2 then your self-signed certificate will only be valid for one year. After you've applied Exchange SP3, then your self-signed cert will be valid for 5 ye
ars.

Using your Exchange Powershell type the following command:
get-exchangecertificate | fl


Copy the thumbprint of your current certificate and paste it into the following command:
get-exchangecertificate "01CFFAA6076D0379DCEE94AE1CB777FDF8012817" | new-exchangecertificate

Again - type: get-exchangecertificate | fl (this will show you both certs)

Your old cert will have IMAP, POP, IIS enabled for
its services, have a cert valid for only 1 year and is most likely invalid.

Your new cert will have IMAP, POP enabled for its services, have a cert valid for 5 years and will be valid.

Now....you have to enable the service IIS for your new cert or you will not be able to view the new cert in IIS (inetmgr.msc).

Type the following command to enable the IIS service for your new cert:
Enable-ExchangeCertificate -thumbprint "4E9D9897E4145A47620FF6C08EAA3B1B991EB64A" -service iis

To remove your old cert, type the following command:
remove-exchangecertificate -thumbprint "01CFFAA6076D0379DCEE94AE1CB777FDF8012817"

Type the following command to make sure you old cert has been removed and that IIS has been enabled on your new cert:
get-exchangecertificate | fl

This is what the final results should look like:













At this time you should do an iisreset to apply the settings. Type the following command:
iisreset

Here comes the important part. There is a bug when you enable the cert, in that when you enable the service IIS, the setting doesn't always apply. When you perform an iisreset you should also do another get-exchangecertificate | fl to make sure the IIS service is still enabled for your cert. In some cases you will have to close your powershell session, start a new powershell session and perform another iisreset.

If you perform ssl offloading on your load balancer, firewall or ISA server, then you need to into your IIS, go to the properties of your 'default web site', select the 'directory security' tab and go down to 'edit'. Deselect 'Require secure channel (SSL)' and click 'ok' to close the window, click 'ok' one more time to close IIS. If you get prompted to propogate the settings down to other virtual directories, simply click 'cancel'






















From the command prompt perform an iisreset. Check one more time to make sure the 'Require secure channel (SSL)' has not been enabled again (this does happen).


Wednesday, January 5, 2011

Simplified - How to deploy AD for Windows Server 2008 R2


With the Windows 2008 life has become somewhat simpler. Although I don't have that much love for Powershell (I'm getting there), it can be handy running some simple tasks when deploying a new server.
Here are the steps needed to deploy Active Directory on Windows 2008 R2:
1. Install a default installation of Windows 2008 R2 Enterprise x64

2. From the Server Manager, Turn off Windows Firewall, enable Remote Desktop – Allow connections to computers… (less secure). Note - this is optional

3. Rename your server to the appropriate name and restart the server.

4. From Powershell run the following command:
a. Import-Module ServerManager
b. Add-WindowsFeature Telnet-Client, NET-Framework, RSAT-ADDS –Restart


Install Active Directory Domain Services and run DCPROMO
1. After the server has restarted go to Start --> Run and type DCPROMO

2. Click Next twice, under Choose Deployment Configuration, select Create a new domain in a new forest and click Next.

3. Under Name the Forest Root Domain type the full domain name, example: bizcorp.local

4. Set the forest functional level to Windows Server 2008 R2 (only if you're running windows 2008 r2 exclusively)

5. Accept default (DNS) and click Next. If you get a warning message about …delegation for this DNS server…, click Yes.

6. Click Next for the Active Directory paths

7. Enter a secure password for the Directory Services Restore Mode Administrator Password and click Next twice.

8. After the server has finished installing Active Directory, click Finish and reboot the server.


Add Reverse Lookup Zone for Your Domain

1. Start the DNS Management Console (DNSMgmt.msc)

2. Right-click Reverse Lookup Zones and select New Zone

3. Accept all the defaults

4. On Reverse Lookup Zone Name enter the network ID for your network (e.g. 192.168.1.x), click Next

5. Allow Only secure dynamic updates… click Next and Finish


Some additional notes:
When deploying an AD server there are many different ways of setting up your server.
1 - If you have two disks - configure them for RAID 1 (mirror). This way, if one hard disk fails, you'll have a backup.
2 - Consider 64 bit multiprocessors over 32 bit multiprocessors. This is more applicable to larger environments where you need more than 4gb of memory.
3 - If you have four or more disks, you can have two RAID 1 configurations where your pagefile, sysvol and netlogon folders can be on the second partition.