Showing posts with label Windows Server 2012 R2. Show all posts

Import a Trusted Root Certification Authority In Windows 7/Vista/XP.

1. Start Microsoft Management Console (MMC) Tool

Click Start -> Run -> Enter 'MMC' and click 'OK'

2. Click File -> Add/Remove Snap-In...

3. Add Certificate.

Select 'Certificates' in left panel and click 'Add' to move to right panel , Then Click 'OK'

4. Select 'Computer Account' option and click 'Next'

In enterprise level network its common to have HQ(Head Quarters)-Branch Office network. These branch offices may required to connected with HQ resources for its operations. Most of the time this kind of setup uses WAN links to connect branch Offices with HQ network. Let's assume we have company called ABC and its HQ is located in Canada Toronto. Due to the Expansion its need branch office open in London, UK. So the requirement is more complicated as its 2 different countries.

The users in London office still need to authenticate the company domain environment and access the resources. Let's Look in
to some of the difficulties, challenges faces with typical this kind of setup.

Lack of Resources

To connect HQ with branch site its required secure, reliable connection. But these connections typically comes with high $$$$ cost. Even though its cost mostly these links will be with speed of 128kb, 256kb, 512kb etc. If users in branch site is authenticating company AD it will use WAN link for the all the authentication, resources access etc. if the number of users increase in branch site the link utilization just for the AD activities will increased. Also since its between different geographical locations, different ISP, many facts will affect the reliability of the link as well. what happen if the WAN link went down on critical business day ? so solution is to deploy AD in branch site and it will be opening whole different range of concerns, problems.

In RODC environment one of the great feature is the password replication. in RODC environment we can determine which passwords need to be cache in RODC and which accounts still need to be authenticate via writable domain controller. As example domain administrator accounts do not need to be cached on RODC. its always safe if it can be authaticate via routable DC for security purposes. so if a domain administrator login from a RODC enviornment, we can set system to forward the authtication request or service ticket to the writable domain controller.

Microsoft made this easy by introducing password replication policy (PRP) to RODC environment. by default system create domain-wide password replication policy two domain local security groups.

Allowed RODC Password Replication Group : Members of this group will allow to cache passwords in RODC. by default this group do not have any members.

Denied RODC Password Replication Group: Members of this group are deny to cache passwords in RODC. Some of the groups which are security critical are member of this group by default such as Administrators, Server Operators, Backup Operators, Account Operators.

One of the biggest mistakes administrator do is only allow/deny user accounts. But computers it self also uses authatication and service tickets requests. so make sure you add computer accounts also in to these lists.

How to configure RODC password replication policy(PRP) ?

1) Login to a writable domain controller with domain administrator account
2) Open "Active Directory Users and Computers" snap in by Server Manager > Tools > Active Directory Users and Computers
3) Go to "Domain Controllers" OU

4) Click to select the RODC you need to configure PRP. Then right click and click on properties.

5) In the properties window click on "Password Replication Policy" tab

Before install a RODC in a domain environment it need to meet the following requirements,

Forest function level should be windows 2003 server or higher
Needs at least one writable domain controller running windows server 2008 or higher

If forest have any DC running windows server 2003 we need to adjust permissions on DNS application directory partition to allow them to replicate to RODC. It can be done by running adprep /RODCprep from windows 2012 server installation disk \support\adprep folder.

In my demo setup i do have a domain called contoso. Before start lets check the forest function level.

To do that, log in to the DC as domain admin and open "Server Manager"
Then from tools click on "Active Directory Domains and Trust"

Right click on domain and select "Properties"

As we can see here its runs with windows server 2012 R2 so we do not need to prepare domain

Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015 (http://support2.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Microsoft+Windows+Server+2003&Filter=FilterNO). It’s no wonder that some organizations still uses windows server 2003 versions in production environment.

If you still not plan for migration from legacy windows server versions, well time has come!!

This guide will explain how we can migrate AD CS from windows server 2003 to windows server 2012 R2.

In this demonstration I am using following setup.

Server Name	Operating System	Server Roles
canitpro-casrv.canitpro.local	Windows Server 2003 R2 Enterprise x86	AD CS ( Enterprise Certificate Authority )
CANITPRO-DC2K12.canitpro.local	Windows Server 2012 R2 x64	-

Backup windows server 2003 certificate authority database and its configuration

• Log in to Windows 2003 Server as member of local administrator group
• Go to Start > Administrative Tools > Certificate Authority

• Right Click on Server Node > All Tasks > Backup CA

• Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue

• In next window click on check boxes to select options as highlighted and click on “Brows” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue

Microsoft has already announced that windows server 2003 / windows server 2003 R2 versions support is coming to end in 14th July 2015

It’s no wonder that still organizations using windows server 2003 / windows server 2003 R2 in their infrastructure with different server roles.

With windows server 2008 R2 Microsoft has introduce new great feature called “Windows Server Migration Tools” which will allow administrators to migrate server roles, features, configuration settings seamlessly from one system to another(ex- windows server 2003). Windows server 2012 also includes this feature and in this article I will demonstrate how we can use it to migrate DHCProle to windows server 2012 r2.

Please note, To use this method we need to install this feature in both source and destination servers.

For the demonstration I am using following setup

Server Name	Operating System	Server Roles	Networks
dhcp-2k3.canitpro.local	Windows Server 2003 R2 Enterprise x86	DHCP	Network A – 10.10.10.0 Network B – 172.16.25.0 Network C – 192.168.148.0
CANITPRO-DC2K12.canitpro.local	Windows Server 2012 R2 x64	-	-

Before start the migration process it’s important to consider on following.

1)    To migrate the roles you need to log in to source and destination servers as “Domain Administrators”.
2)    Before start the migration process make sure source and destination servers’ runs with latest updates and service packs.
3)    If the source server runs with multiple network, multiple NIC make sure the destination server also have same number of NIC so it can be server with same network setup.

dhcp-2k3.canitpro.local server currently setup with 3 additional NIC to represent network A,B and C. those have configured with static ip addresses to match with relevant network it belongs to. The DHCP server host different DHCP scopes for each network.
Before we start the process we need to install the following software in windows server 2003(dhcp-2k3.canitpro.local) if it’s not there already.

1) .Net Framework 3.5 (http://www.microsoft.com/en-us/download/details.aspx?id=21)
2) Windows PowerShell 2.0 (http://support2.microsoft.com/kb/968929/en-us)

Install Windows Server Migration Tools in windows server 2012

1) Log in to the Windows server 2012 as Domain Administrator
2) Go to Server Manager > Add Roles and Features

3) It will open the Add roles and features Wizard and click next to start the process
4) In next window, for the installation type select “Role-based or feature-based installation” then click next to continue