About Me

My photo
These are blogs for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.


lcs 2005 revisited - ew

For the morbidly curious, in support of the LCS 2005 Migration Document project, I have been building (yet another) lab.

As of now, I have a fully functional (no PSTN :( ) LCS 2005 SP1 pool, Access Proxy, sited behind an ISA 2006.  And it connected first time through from my home network via the AP.

All this goodness running under Hyper-V.

Servers are ws03 r2 sp2.

Client is currently OC2005 on XP and OC2005 on win7beta.

A few notes:

WS03 r2 SP2 breaks ISA 2006 (I had forgotten).  This requires two separate reg hacks (disable RSS and Task offload)

Hklm\system\currentcontrolset\services\tcpip\parameters [dword EnableRSS = 0] [DisableTaskOffload = 1]

DNS stinks for LCS.

Certs came from a standalone CA on the DC.  An enterprise CA would not give me private keys on the certs unless I moved the DC to Server Enterprise which I was unwilling to do.

It is amazing what we have to re-learn at times, eh wot?


CA woes

My new project is kicking off, and my first task is to build my lab.

As the new project involves LCS 2005, I need to be able to issue PKI, so I installed my CA  - but I did it as an Enterprise CA on a ws03 Std server.

Because LCS 2005 is such a bear on certs, my first round of testing on the CA involved getting some test certs with SAN entries that included exportable private keys.  Just to make sure I can do it and have it be right the first time through.

This forced me to relearn certutil.exe and certreq.exe.

I also relearned certreq.inf files....very handy - I cannot believe I ever stopped using that method.  Well, I know why: OCS 2007 has a cert wizard that works really well.

At any rate it seems that there is no way to get an Enterprise CA running on ws03/08 standard edition server to give you private keys.  The issue is converting/duplicating the existing webserver template which makes the new template a v2 template - and to use that new template requires enterprise server edition.  arrrgh.

No amount of tweaking the inf file allowed me to get a private key with the cert - the private key simply is not included with the issued certificate.

My search for a solution will continue, as I need this to work.  My short term solution was to fall back to a Standalone CA, which allows the private keys very easily.  arrgh.  I wanted an Enterprise CA.

test 02 Feb

this is a test it’s only a test this should be a picture