About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.


lcs 2005 revisited - ew

For the morbidly curious, in support of the LCS 2005 Migration Document project, I have been building (yet another) lab.

As of now, I have a fully functional (no PSTN :( ) LCS 2005 SP1 pool, Access Proxy, sited behind an ISA 2006.  And it connected first time through from my home network via the AP.

All this goodness running under Hyper-V.

Servers are ws03 r2 sp2.

Client is currently OC2005 on XP and OC2005 on win7beta.

A few notes:

WS03 r2 SP2 breaks ISA 2006 (I had forgotten).  This requires two separate reg hacks (disable RSS and Task offload)

Hklm\system\currentcontrolset\services\tcpip\parameters [dword EnableRSS = 0] [DisableTaskOffload = 1]

DNS stinks for LCS.

Certs came from a standalone CA on the DC.  An enterprise CA would not give me private keys on the certs unless I moved the DC to Server Enterprise which I was unwilling to do.

It is amazing what we have to re-learn at times, eh wot?


CA woes

My new project is kicking off, and my first task is to build my lab.

As the new project involves LCS 2005, I need to be able to issue PKI, so I installed my CA  - but I did it as an Enterprise CA on a ws03 Std server.

Because LCS 2005 is such a bear on certs, my first round of testing on the CA involved getting some test certs with SAN entries that included exportable private keys.  Just to make sure I can do it and have it be right the first time through.

This forced me to relearn certutil.exe and certreq.exe.

I also relearned certreq.inf files....very handy - I cannot believe I ever stopped using that method.  Well, I know why: OCS 2007 has a cert wizard that works really well.

At any rate it seems that there is no way to get an Enterprise CA running on ws03/08 standard edition server to give you private keys.  The issue is converting/duplicating the existing webserver template which makes the new template a v2 template - and to use that new template requires enterprise server edition.  arrrgh.

No amount of tweaking the inf file allowed me to get a private key with the cert - the private key simply is not included with the issued certificate.

My search for a solution will continue, as I need this to work.  My short term solution was to fall back to a Standalone CA, which allows the private keys very easily.  arrgh.  I wanted an Enterprise CA.

test 02 Feb

this is a test it’s only a test this should be a picture