About Me

My Photo
TsooRad is a blog for John Weber. John is a Lync Server MVP (2010-2014). My day job is titled "Principal Consulting Engineer" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2009/01/27

lcs 2005 revisited - ew

For the morbidly curious, in support of the LCS 2005 Migration Document project, I have been building (yet another) lab.

As of now, I have a fully functional (no PSTN :( ) LCS 2005 SP1 pool, Access Proxy, sited behind an ISA 2006.  And it connected first time through from my home network via the AP.

All this goodness running under Hyper-V.

Servers are ws03 r2 sp2.

Client is currently OC2005 on XP and OC2005 on win7beta.

A few notes:

WS03 r2 SP2 breaks ISA 2006 (I had forgotten).  This requires two separate reg hacks (disable RSS and Task offload)

Hklm\system\currentcontrolset\services\tcpip\parameters [dword EnableRSS = 0] [DisableTaskOffload = 1]

DNS stinks for LCS.

Certs came from a standalone CA on the DC.  An enterprise CA would not give me private keys on the certs unless I moved the DC to Server Enterprise which I was unwilling to do.

It is amazing what we have to re-learn at times, eh wot?

2009/01/22

CA woes

My new project is kicking off, and my first task is to build my lab.

As the new project involves LCS 2005, I need to be able to issue PKI, so I installed my CA  - but I did it as an Enterprise CA on a ws03 Std server.

Because LCS 2005 is such a bear on certs, my first round of testing on the CA involved getting some test certs with SAN entries that included exportable private keys.  Just to make sure I can do it and have it be right the first time through.

This forced me to relearn certutil.exe and certreq.exe.

I also relearned certreq.inf files....very handy - I cannot believe I ever stopped using that method.  Well, I know why: OCS 2007 has a cert wizard that works really well.

At any rate it seems that there is no way to get an Enterprise CA running on ws03/08 standard edition server to give you private keys.  The issue is converting/duplicating the existing webserver template which makes the new template a v2 template - and to use that new template requires enterprise server edition.  arrrgh.

No amount of tweaking the inf file allowed me to get a private key with the cert - the private key simply is not included with the issued certificate.

My search for a solution will continue, as I need this to work.  My short term solution was to fall back to a Standalone CA, which allows the private keys very easily.  arrgh.  I wanted an Enterprise CA.