About Me

My Photo
TsooRad is a blog for John Weber. John is a Lync Server MVP (2010-2014). My day job is titled "Principal Consulting Engineer" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2011/01/27

Uninstalling Lync 2010 Server

I had to answer this question today… how to get rid of a POC environment that was living in a production AD DS?  Ooopsie.  Fail.  The obvious stuff did not work, nor did reading the oh-so-helpful chm documentation.

Then I found this:  http://terenceluk.blogspot.com/2011/01/step-by-step-instructions-for.html. Very nice.  Worked.  And also this:

http://ucmadeeasy.wordpress.com/2010/11/09/lync-server-2010-active-directory-references-and-how-to-remove-them/. Slick work!

and then there is this:

"bootstrapper.exe /scorch"

‘nuff said – use at your own discretion.

2011/01/25

Lync Work Flows

I work with some very talented people.  One of our architects came up with the following layout that presents the Lync system and the business case for each piece with the connected and supporting technologies shown in perspective.  This is some extremely nice work. Credit for the creation of this work of art-meet-techno-buzz goes to Paul Gurman.  On his own no less!

Clicking on the graphic will take you to my SkyDrive so you can download the file. For those who wish to print this, have your full size paper and plotter handy.  Remember that this is copyright protected material and belongs to Paul Gurman and Nexus IS.

  Nexus-MSFT-UC Workflow 5.0

2011/01/20

move that sql database

setup: 

SQL 2005SP3 (I am told this should work on SQL2008 also but I have not confirmed)

detach the database from server 1

attach the database to server 2

recreate the user at the SQL level – then get denied because the user already exists inside the database.  Ooops!

Flail.  Repeat.  LOL. 

Seriously, for those of us who are not SQL admins, this stuff is a different language.  Some cursory gooogly work revealed my total lack of sql syntax knowledge.  A call to an SQL programmer-now-IT-Manager friend of mine gave me some good insight, and we (he) figured out the following fix.

 

use databasename
go
exec sp_change_users_login 'update_one', 'nameinsidedatabaseaccount', 'nameinsidesqlsecurityaccount'
go

2011/01/13

New canned e2010 solutions

EHLO has announced some new tested solution whitepapers.  The one I looked at is pretty nice.  See them here.

2011/01/12

Time Management

Got this today from my manager.  I have seen it before, but had forgotten how true it is.

One day, an expert in time management was speaking to a group of business students and, to drive home a point, used an illustration those students will never forget. As he stood in front of the group of high-powered over-achievers he said, "Okay, time for a quiz" and he pulled out a one-gallon, wide-mouth mason jar and set it on the table in front of him. He also produced about a dozen fist-sized rocks and carefully placed them, one at a time, into the jar. When the jar was filled to the top and no more rocks would fit inside, he asked, "Is this jar full?"

Everyone in the class yelled, "Yes." The time management expert replied, "Really?"

He reached under the table and pulled out a bucket of pebbles. He dumped some pebbles in and shook the jar causing pieces of pebbles to work themselves down into the spaces between the big rocks. He then asked the group once more, "Is the jar full?"

By this time the class was on to him. "Probably not," one of them answered. "Good!" he replied. He reached under the table and brought out a bucket of sand. He started dumping the sand in the jar and it went into all of the spaces left between the rocks and the pebbles. Once more he asked the question, "Is this jar full?" "No!" the class shouted. Once again he said, "Good." Then he grabbed a pitcher of water and began to pour it in until the jar was filled to the brim.

Then he looked at the class and asked, "What is the point of this illustration?" One eager beaver raised his hand and said, "The point is, no matter how full your schedule is, if you try really hard you can always fit some more things in it!" "No," the speaker replied, "that's not the point.

The truth this illustration teaches us is, "If you don't put the big rocks in first, you'll never get them in at all.”

WS08R2 Standalone Root CA

High level instructions for installing a Standalone CA

NOTE:  If you have an Enterprise or Datacenter edition server, the preferred install will be an Enterprise Root.  If you have only Standard Edition WS08R2 Server, then you are not able to install an Enterprise CA and you will have to do a Standalone Root CA.

 

Start with a Windows 2008 R2 server. I used a DC, but there are some who think that is an issue. You should choose what you think works best for your environment or what matches your security model. If you choose to do a Standalone RootCA, then you will need this entire document to include the CLI work at the end.

1. Open servermanager

2. Add roles

3. Choose Active directory certificate services

clip_image001

4. Say next on the Intro screen…

5. Select as shown here:

clip_image002

6. Choose appropriately here. I recommend the Enterprise, it really is easier. However, you can choose Standalone also.

clip_image004

7. Choose Root

clip_image006

8. Choose new key

clip_image008

9. Setup like this:

clip_image010

10. You can rearrange the name as appropriate… take note of it though!

clip_image012

11. I choose to use a LONG period of time… I don’t like to have to renew certs more than I have to…your security paradigm may require you to keep this figure below the default of five years.

clip_image014

12. Accept these defaults… you can change them if you wish…if you change them, be sure to document the change from the default.

clip_image016

13. The webserver setup is so that you can get certs if you are authorized. Exchange UM,OCS, Lync, SQL, and SharePoint come to mind.

clip_image018

14. Because I let the wizard choose for me, these options were filled in for me and will support what I need for the aforementioned applications.

clip_image020

15. Install

clip_image022

Total install time was less than 15 minutes.

16. If you chose to use a standalone edition, then you will need to publish the resulting trusted root cert into Active Directory…

Microsoft Windows computers and some devices are automatically configured with some well-known third-party root certificates. However, if you are using your own PKI, you need to install the root certificate. There are various ways to achieve this, including the following methods:

  • If you are using a Microsoft Enterprise root certification authority, the root certificate is automatically installed on computers in the forest, using Active Directory Domain Services.
  • If you are not using a Microsoft Enterprise root certification authority but want all computers in the forest to automatically trust the root certification authority, you can publish the root certificate in the Enterprise Trust Store, using Group Policy or the Certutil command.
  • If you not using a Microsoft Enterprise root certification authority and want only groups of computers in the forest to automatically trust the root certification authority, you can publish the root certificate to domains or organizational units (OUs) using Group Policy. Only computers that have the Group Policy applied will automatically trust the root certification authority. Add the root certificate to the Group Policy object Trusted Root Certification Authorities under the Public Key Policies folder for the Computer Configuration container.
  • If you are using Microsoft Certificate Services with Internet Information Services (IIS), you can request and install the root certificate with the Web enrollment service.
  • You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
  • You can export the certificate to a file and import it if exporting the public key is enabled within the certificate.

17. To accomplish this using certutil.exe:

Run the following commands to register the digital certificate of the Standalone Root CA and its CRL in Active Directory:

certutil -f dspublish <CA_Cert_File_Name> RootCA and certutil – f -dspublish <CRL_File_Name>

The files <CA_Cert_File_Name> and <CRL_File_Name> are located in the folder %SystemRoot%\System32\CertSrv\CertEnroll

You don’t have to do the CRL but it does make things go smoothly when the host server starts looking for the CRL and can find it because you did publish it….

If you use a standard edition with Standalone Root CA, then you will need to do this command to allow the CA to issue SAN certs:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

One additional thing you can do is to change the certificate issue period from the default 1 year to something a little more lengthy. Using regedit, goto:

HKLM\system\currentcontrolset\services\certsvc\configuration\<CAname> – where CAname is whatever you called the CA in the previous steps.

What you want to do is modify the “ValidityPeriodUnits” as shown here.

image

 

If you followed things all the way through, you have a Standalone RootCA, with a trusted root cert for a period of 20 years, the trusted root is published into your AD DS (along with the CRL), individual certificates can be SAN/UCC, and the issued certificates will be for a two-year period.

2011/01/11

cert fun with e2010

Why do I have to put up with this?  Isn’t there something that should have progressed over the last 10 years or so that would remove this irritation from my life?  This time it was this provider…but where does the error lie?

http://www.entrust.net/knowledge-base/technote.cfm?tn=8351

The kb fixed up the issue, but why did I have to fix it?  This is a mainstream provider with a mainstream app on a mainstream system.  To paraphrase the mavens of sports broadcasting, “C’mon man!”