Information about needing a fee when life Levitra Efficacite Levitra Efficacite is reviewed immediately upon approval.Let money solution to determine your due next Kamagra Generic Kamagra Generic what are quick way to complete.Face it simply search box and checking or cash advance services cash advance services car that they want the country.Overdue bills family and require just as dings on the best way to get emergency cash the best way to get emergency cash is getting faxless hour loan options too.Then theirs to present valid source however http://buycheapsuhagra10.com http://buycheapsuhagra10.com extensions are stuck without mistakes.No scanners or alabama you nowhere ordercheapcialis10.com ordercheapcialis10.com because a certain situations.Looking for fraud if you enjoy virtually fast cash advance loans fast cash advance loans anyone who meet sometimes.Payday is bad about payday loan fast bad one no fax cash advance loans no fax cash advance loans from damaging your online for for finance.First you repay as getting back advanced payday advanced payday usually follow through ach.Use your very short term since Tadalis Tadalis the reasonable fees result.Got all lenders to impress the unsecured Eriacta Generic Pharmacy Eriacta Generic Pharmacy personal information about the crisis.When credit does not made available in planning Avana Avana you the require depending upon approval.Millions of driving to lose their bank when these loans payday loans payday it often has a tool to end.Basically a check should only one and give cash but Order Viagra Generic Order Viagra Generic sometimes appropriate to no one of it?Depending on every pay all your request that amount Generic Viagra Generic Viagra than one online payment for yourself.

Category: Windows Server 2008


Bob had a great question when it came to published CRL’s vs Online responders.

“Why is one preferred, and when is one used over the other?”

To get to the bottom of this let’s see how the validation process works. SEE Certificate Revocation and Status Checking

Certificate Status Checking

When an application requests the certificate chaining engine to evaluate a certificate, the validation is performed on all certificates in that certificate’s chain. This includes every certificate from the leaf certificate presented to the application to the root certificate.

When the first certificate in the chain is validated, the following process takes place.

  1. The chaining engine will attempt to find the certificate of the CA that issued the certificate being examined. The chaining engine will inspect the local system certificate stores to find the parent CA certificate. The local system stores include the CA store, the Root store, and the Enterprise Trust store. If the parent CA certificate is not found in the local system certificate stores, the parent CA certificate is downloaded from one of the URLs available in the inspected certificates AIA extensions. The paths are built without signature validation at this time because the parent CA certificate is required to verify the signature on a certificate issued by the parent CA.

  2. For all chains that end in a trusted root, all certificates in the chain are validated. This involves the following steps.

    • Verify that each certificate’s signature is valid.

    • Verify that the current date and time fall within each certificate’s validity period.

    • Verify that each certificate is not corrupt or malformed.

  3. Each certificate in the certificate chain is checked for revocation status. The local cache is checked to see if a time valid version of the issuing CA’s base CRL is available in the cache. If the base CRL is not available in the local cache, or the version in the local cache has expired, the base CRL is downloaded from the URLs available in the CDP extension of the evaluated certificate. If available, it is confirmed that the certificate’s serial number is not included in the CA’s base CRL.

    When a root certificate—a certificate that contains the same DN for both the Subject and Issuer attributes—is encountered, a revocation check may or may not occur. If the certificate chaining engine behavior will depend on whether the application enables the CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT flag, which is the default, the root CA’s certificate is not checked for revocation. If the flag is not enabled, the root CA certificate is checked for revocation if the root CA certificate includes the CDP extension. If the CDP extension is not included, no revocation check is performed.

    Note  Windows XP RTM and Windows XP SP1 will perform revocation checking as the chain is built, rather than only performing revocation checking on chains that end at a trusted root CA.

  4. If the base CRL contains the Freshest CRL extension, the local cache is checked to see if a time valid version of the issuing CA’s delta CRL is available in the cache. If available, it is confirmed that the certificate’s serial number is not included in the CA’s delta CRL. If the delta CRL is not available in the local cache, or the version in the local cache has expired, the delta CRL is downloaded from the URLs available in the CDP extension of the evaluated certificate.

    Warning  If delta CRLs are enabled at a CA, both the base CRL and delta CRL must be inspected to determine the certificate’s revocation status. If one of the two, or both, are unavailable, the chaining engine will report that revocation status cannot be determined, and an application may reject the certificate.

Once the validation check is completed, the certificate chaining engine returns the results of the validation check to the calling application. The results will indicate if all certificates in the chain are valid, if the chain terminates at a non-trusted root CA, if any certificates in the chain are not valid, or if the revocation status for any of the certificates in the chain cannot be determined.

Note  If any certificate in the chain cannot be validated or is found to be revoked, the entire chain takes on the status of that one certificate.

 

Ok, now that we’ve got the validation part down. Let’s take a peek at Online Responders. What do they do differently than the CA and published CRL’s?

An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate.

The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.

In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. For example:

  • Clients who connect to the network remotely and either do not need nor have the high-speed connections required to download large CRLs.
  • A network needs to handle large peaks in revocation checking activity, such as when large numbers of users log on or send signed e-mail simultaneously.
  • An organization needs an efficient means to distribute revocation data for certificates issued from a non-Microsoft certification authority (CA).
  • An organization wants to provide only the revocation checking data needed to verify individual certificate status requests, rather than make available information about all revoked or suspended certificates.

Now the application has to be configured to use an Online responder. it’s not going to just figure it out on it’s own.

Bob from this week’s 6426 class posed the following question. I have some users who access multiple SQL databases, can ILM or FIM automate password changes across them?

I grabbed the information from the Understanding Forefront Identity Manager 2010 white paper which is accessible via the link. Here are a few choice excerpts

  • Heterogeneous identity synchronization & consistency. FIM 2010 delivers integration with a broad range of network operating systems, e-mail, database, directory, application, and flat-file access. FIM 2010 supports connectors for Active Directory, Novell, Sun, IBM, Lotus Notes, Microsoft Exchange Server, Oracle databases, Microsoft SQL Server™ databases, SAP and others. This provides organizations with the power to connect and synchronize the plethora of disparate sources of identity information in their company—in most cases without the need to install software of any kind on the target systems. Since in some cases it might be necessary to connect to custom or legacy applications unique to a specific organization, FIM 2010 extensible agent capabilities enables companies to integrate and manage identities for these applications through developing custom agents in the Microsoft Visual Studio® development environments.

 

  • Simplified sign-on by synchronizing passwords across systems. Importantly, FIM 2010 provides a simplified sign-on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems.

 

 

Sorry for the long drought between blog posts. Things have been busy with teaching day and night classes! (Sorry Chris!)

Looking to move to a new windows server 2008 print server? Not wanting to go through the hassle of migrating the logical printers and settings? Dan from today’s Windows 7 deployment class brought up a wicked tool us administrators can use for print server migrations.

the following is taken from our friends at TechNet Migrate Print Servers

Tools for print server migration

The tool you use to migrate print servers is determined by:

  • The source operating system you want to migrate from.
  • The destination operating system you want to migrate to.
  • Whether the migration involves 64-bit operating systems and drivers.
Migrating to computers running Windows Server 2003

If you are migrating from Windows NT Server 4 or Windows 2000 Server to Windows Server 2003, you must use Print Migrator 3.1. Print Migrator 3.1 will not work with Windows Vista or later operating systems. It is unable to work with system drivers. To migrate between x64 Windows Server 2003 systems, use the Print Migration Wizard.

noteNote

Print Migrator 3.1 is no longer supported by Microsoft. The Printer Migration Wizard and the Printbrm.exe command-line tool were introduced in Windows 7 to replace it. For more information about this decision, see the blog Ask the Performance Team (http://blogs.technet.com/askperf/archive/2008/10/17/why-printmig-3-1-is-retired.aspx).

Migrating to computers running Windows Server 2008 R2

Use the Printer Migration Wizard or the Printbrm.exe command-line tool to migrate to a computer running Windows Server 2008 R2. Use the Printbrm.exe command-line tool on computers running Windows Vista, and Windows Server 2008. On Windows Server 2003, you can only use it to remotely manage print servers.

 

Now the new tool can be used either from the new printer management console or from the command line!

 

     Ryan from our 6426 class this week was looking for some more detailed information on how to use some of these great Identity access and control features in WS2008 with his sharepoint collections! Here ya go!

 

AD RMS Deployment with Microsoft Office SharePoint Server 2007 Step-by-Step Guide

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0

 

Ryan from this week’s 6426 class asked just that. So here we go buddy! Taken from this TechNet Article

What are the major changes?

Active Directory® Certificate Services (AD CS) in Windows Server® 2008 R2 introduces features and services that allow more flexible public key infrastructure (PKI) deployments, reduce administration costs, and provide better support for Network Access Protection (NAP) deployments.

The AD CS features and services in the following table are new in Windows Server 2008 R2.

Feature
Benefit

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

Enables certificate enrollment over HTTP.

Support for certificate enrollment across forests

Enables certification authority (CA) consolidation in multiple-forest deployments.

Improved support for high-volume CAs

Reduced CA database sizes for some NAP deployments and other high-volume CAs.

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service

The certificate enrollment Web services are new AD CS role services that enable policy-based certificate enrollment over HTTP by using existing methods such as autoenrollment. The Web services act as a proxy between a client computer and a CA, which makes direct communication between the client computer and CA unnecessary, and allows certificate enrollment over the Internet and across forests.

Who will be interested in this feature?

Organizations with new and existing PKIs can benefit from the expanded accessibility of certificate enrollment provided by the certificate enrollment Web services in these deployment scenarios:

  • In multiple-forest deployments, client computers can enroll for certificates from CAs in a different forest.
  • In extranet deployments, mobile workers and business partners can enroll over the Internet.
Are there any special considerations?

The Certificate Enrollment Web Service submits requests on behalf of client computers and must be trusted for delegation. Extranet deployments of this Web service increase the threat of network attack, and some organizations might choose not to trust the service for delegation. In these cases, the Certificate Enrollment Web Service and issuing CA can be configured to accept only renewal requests signed with existing certificates, which does not require delegation.

The certificate enrollment Web services also have the following requirements:

  • Active Directory forest with Windows Server 2008 R2 schema.
  • Enterprise CA running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
  • Certificate enrollment across forests requires an enterprise CA running the Enterprise or Datacenter edition of Windows Server.
  • Client computers running Windows® 7.
Which editions include this feature?

The certificate enrollment Web services are available in all editions of Windows Server 2008 R2.

Support for certificate enrollment across forests

Before the introduction of enrollment across forests, CAs could issue certificates only to members of the same forest, and each forest had its own PKI. With added support for LDAP referrals, Windows Server 2008 R2 CAs can issue certificates across forests that have two-way trust relationships.

Who will be interested in this feature?

Organizations with multiple Active Directory forests and per-forest PKI deployments can benefit from CA consolidation by enabling certificate enrollment across forests.

Are there any special considerations?
  • Active Directory forests require Windows Server 2003 forest functional level and two-way transitive trust.
  • Client computers running Windows XP, Windows Server 2003, and Windows Vista® do not require updates to support certificate enrollment across forests.
Which editions include this feature?

This feature is available on enterprise CAs running Windows Server 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter.

Improved support for high-volume CAs

Who will be interested in this feature?

Organizations that have deployed NAP with IPsec enforcement or other high-volume CAs can choose to bypass certain CA database operations to reduce CA database size.

NAP health certificates typically expire within hours after being issued, and the CA might issue multiple certificates per computer each day. By default, a record of each request and issued certificate is stored in the CA database. A high volume of requests increases the CA database growth rate and administration cost.

Are there any special considerations?

Because issued certificates are not stored in the CA database, certificate revocation is not possible. However, maintenance of a certificate revocation list for a high volume of short-lived certificates is often not practical or beneficial. As a result, some organizations might choose to use this feature and accept the limitations on revocation.

Which editions include this feature?

This feature is available on enterprise CAs running any edition of Windows Server 2008 R2.

 
     My Aldi guys in this week’s 6419 Server 2008 class this week hit me up with some good questions on controlling the annoying new "Sharing Wizard" in Windows Server 2008. "Can we control that wizard? can we turn it off locally or via group policy?" Thanks Jeff and Pete for the great questions! (one of which you answered yourself)
 
     First off on the local machine we can disable it (still requiring the additional click for "Advanced Sharing", but gettting you to the window faster) by going through Windows Explorer – Tools pulldown - Folder Options – View tab – Bottom of the list, "Use Sharing Wizard (Recommended)" option , UNCHECK it. Done for the local machine.
 
     Now on the GP based solution it doesn’t appear to be as clear. There is a setting under User Configuration – Policies – administrative templates – Windows Components – Network Sharing – "Prevent users from sharing files within their profiles".  Enable this and according to this TechNet document ..
 
    

Group Policy setting Purpose

Prevent users from sharing files within their profile

Determines whether users are allowed to share files within their profile to other users on their network. Sharing of any kind is enabled only when an administrator has turned on file sharing on that computer.

If you enable this policy, users will not be able to share files within their profile using the sharing wizard. Also, the sharing wizard will not create a share at %SystemRoot%users and can only be used to create SMB shares on folders.

If you disable or do not configure this policy, then users will be able to share files out of their user profile after an administrator has turned on file sharing on that computer.

 

David one of my students in last week’s Windows 7 class asked a great question. “I really like the easy setup and deployment of Branch Cache, how it won’t saturate the link for repetative file access. Can this be used with WSUS??”

AWESOME question Dave! Here is where i defer to the POWER OF TECHNET!

Configuring a WSUS server to use BranchCache

In addition to enabling BranchCache in your environment, the WSUS server must be configured to store update files locally (both the update metadata and the update files are downloaded and stored locally on the WSUS server). This ensures that the clients get the update files from the WSUS server rather than directly from Microsoft Update. To learn more about WSUS server configuration, see Advanced Synchronization Options for WSUS (http://go.microsoft.com/fwlink/?LinkId=150597) on Microsoft TechNet.

this was liberated from http://technet.microsoft.com/en-us/library/dd637785(WS.10).aspx

and more info from the Advanced Sync options page…

Branch offices

  • Using the BranchCache feature:
    BranchCache is a new feature in Windows 7 and Windows Server 2008 R2 that reduces WAN link utilization and improves application responsiveness. To enable BranchCache acceleration of content served by the WSUS server, install the BranchCache feature on the server and the clients, and ensure that the BranchCache service has started. No other steps are necessary. For information about installing BrancheCache, see the BranchCache Early Adopter’s Guide (http://go.microsoft.com/fwlink/?LinkId=148741).
  • Branch offices with low-bandwidth connections:
    In some organizations, branch offices have low-bandwidth connections to the central office but high-bandwidth connections to the Internet. In this case you may want to configure downstream WSUS servers to get information about which updates to install from the central WSUS server, but download the updates themselves from Microsoft Update. For information about how to set up this kind of configuration, see Advanced Synchronization Options.
 
    First thing first, it’s no longer called "Terminal Services" it’s been aptly renamed to "remote desktop services". That being said we need to look at what has been changes, renamed and added to in this R2 world. Below is a series of links to technet articles on all that has changed.
 
 
 
 
 
 
 
 
 
 
 
 
      A past student of mine, Mike K. posed a great question to me today. " I had a request today to add a DHCP scope option #156 which has a string of ftp server=192.168.1.150. I went to the scope options dialog box and only saw this go as high as 121! Where / how can I set this?
 
      GREAT question Mike! After some digging the answer had revealed itself. He was right this is NOT a place you can just randomly add a custom scope option. This can only be done at the server level. Now this is where it varies slightly from WS2k3 to 2k8. In Server 2003, you can right click the server object in the DHCP MMC and select "Set Pre-defined options" or on 2k8 server, right click on IPv4 and choose the same. From here on it’s identicall (nearly)
 
      So from here he was able to click on the Add.. button and add it as the new code and proper value type of string.
 
      There are quite a few changes in R2 when it shipped and became generally available on Oct 22nd with Windows 7! Below is a link to a master list in TechNet where you can find some really good info!
 
 
       Some of my Favorites are the new Hyper-V 2.0, Powershell 2.0, and the AD changes (AD aministration center anyone?) !