Renew Machine Certificate for multiple Servers

Similar Messages

• Is it possible to run one ud script to update parms for multiple servers...

  Is it possible to run one ud script to update certain parameters in mib for multiple
  servers by giving multiple occurrences of the parameter and server id. I tried
  a ud script as follows and it seem to update the parameter for only the first
  server.
  SRVCNM .MIB
  TA_CLASS T_SERVER
  TA_OPERATION SET
  TA_SRVID 101
  TA_SRVID 102
  TA_SRVID 103
  TA_CLOPT -A -r -e srv1.err --
  TA_CLOPT -A -r -e srv2.err --
  TA_CLOPT -A -r -e srv3.err --

  From the ud's output, it looks like it used only one occurrence of the fields that
  I provided.
  "james mathew" <[email protected]> wrote:
  >
  Is it possible to run one ud script to update certain parameters in mib
  for multiple
  servers by giving multiple occurrences of the parameter and server id.
  I tried
  a ud script as follows and it seem to update the parameter for only the
  first
  server.
  SRVCNM .MIB
  TA_CLASS T_SERVER
  TA_OPERATION SET
  TA_SRVID 101
  TA_SRVID 102
  TA_SRVID 103
  TA_CLOPT -A -r -e srv1.err --
  TA_CLOPT -A -r -e srv2.err --
  TA_CLOPT -A -r -e srv3.err --

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• Selective IP filtering for multiple servers in a domain?

  Is it possible to have IP filtering on for certain servers in a
  domain, and not for others?
  This is the situation:
  I am deploying two servers in mydomain, so let's call it serverA
  and serverB. I want serverA to accept all connections while
  serverB accepts connections only from certain IPs. I know you
  can do IP filtering using SimpleConnectionFilter in the
  "Connection Filter" option in Security->General tab of the Admin
  console, but this turns on IP filtering for BOTH serverA and
  serverB! How do I turn it on for one, and not the other? Any
  help would be greatly appreciated. Thank you.
  Leon

  Hi,
  Yes you can have muliple servers in a domain. You can create as many managed
  servers as your hardware can handle. When you added the server, did you use the
  startManagedWebLogic.sh (or .cmd) script to start the server. Once you do that,
  you should see the server as running.
  Hope this helps,
  pat
  "MS" <[email protected]> wrote:
  >
  Hello All,
  Is it possible to have multiple servers in a domain?
  When I add a new server, the State is reported in the weblogic console
  as "UNKNOWN".
  What does this mean?
  rgds
  MS

• SSL Certificates for J2EE Servers

  We have a security requirement to make all our servers SSL/HTTPS compliant.  We have a J2EE Application Server.  To satisfy this requirement for this server, does anyone know if we need to install an SSL certificate?  We are  installing Certificates on our 2 other SAP boxes but have not request one for this J2EE server.
  Please let us know if you have any insight.
  Thanks!

  Hi Shannon,
  The below link helps configuring SSL for J2EE servers:
  http://help.sap.com/saphelp_nw04/helpdata/en/db/1f1740198d8f5ce10000000a155106/frameset.htm
  -> Configuring SSL on SAP J2EE
  A key pair is required for the SAP J2EE to use SSL. This key pair can be created from the Visual admin. But to use this, the public key should be certified by "any Certifying authority(CA)". This CA can depend on your choice. In case you opt for SAP CA, follow the instructions on http://service.sap.com/tcs
  Regards
  Srikishan

• Single RTMP Link for multiple servers

  Hi,
  can i use a single RTMP link included on FMLE with multiple servers, means, that RTMP link will do the redirection to the other RTMP links.
  with hight number of simultanous users, that feature will manage the use of  servers
  Regards,
  Morsi

  As I understand you want to publish single stream to multiple server, so that you can load balance the subscribers..
  So the answer is .. that this is possible with FMS.. FMS provides ways to scale you infrastructure.. So you might use "Multi-point publishing feature" of the FMS. This feature allows you to forward your RTMP streams from one FMS server to another FMS server..
  You may find the useful link here : http://help.adobe.com/en_US/FlashMediaServer/3.5_Deving/WS5b3ccc516d4fbf351e63e3d11a0773d5 6e-7ffb.html
  There is another way to publish the same stream to two server.. From FMLE, you can publish the same stream to at most 2 server.. In FMS you can simultaneously connect to at max two servers.. There are two connection URL edit boxes " FMS URL, and Backup URL" You may provide both for two different FMS servers..
  Let me know does the information help.. It would be really good if you can elaborate your use case.. because just for the purpose of scaling.. there are multiple options, like edge-origin server topology, DVRCast or live cast set-up, multipoint-point publishing etc.. But what to use actually depends upon the use case...

• SSL certificates for multiple websites

  I am having problems with websites recognizing the SSL certificate assigned to said site. For example, I have three secure websites; (1) x.abc.com, (2) y.abc.com, and (3) z.abc.com. All are setup for SSL with associated SSL certificates from a signed authority. However, when I browse to said sites, I receive an SSL mismatch error pertaining to the domain name. For whatever reason, two of the sites want to use the main site SSL certificate.
  I have verified that the sites are setup correctly with the proper SSL certificate and restarted web services. Any ideas?
  Thanks!

  You do this by IP Aliasing the machine
  Oh, you were referring to IP Aliases. Sorry. I interpreted your comment as meaning Server Aliases within Apache (where multiple hostnames map to the same virtual host configuration).
  My bad.
  So we're both right - you need multiple IP addresses on your server (either by duplicating the inteface in System Preferences, or through IPAliases.conf) and you need to bind one SSL site to each IP address (although you could also use different port numbers on the same IP address in Apache).
  If you're using NAT you still need multiple public IP addresses that forward to each of the IP Aliases (or virtual hosts).

• DNS set-up for multiple servers?

  I need some DNS advice....
  I am replacing our old OS Leopard server (that provided web hosting, email, file serving, dns, etc.) with four new Mac Mini Servers (Maverick) to distribute the services. We had an issue on the old machine's fileserver service that brought all services to a halt and then the employees to a halt.
  Since one machine was the central hub of everything it was easy to set-up the DNS to point to it for everything. Now that I have four machines (one of them serving the DNS) I need to know how to point to the other services. The DNS user interface only allows me to input DNS infer for that particular server. How do I add names and address in the DNS to point to the other three servers?
  Thanks in advance.
  Brian

  To add to MrHoffman's advice, as long as the two machines have different IP addresses, they will only know about each other if you tell them.
  For example, server.gilliland.com is running Leopard and is at address 172.16.0.10.  You want a new device to also be know as server.gilliland.com but don't want to shut the other one down.  Ok, give it another address, 172.16.0.11 for example and define on it DNS that points server.gilliland.com to 172.16.0.11.  As far as the new server knows, it is server.gilliland.com and is start of authority for the gilliland.com domain.  The old server thinks the same thing.  But as long as you don't tell either about the other, they will live happily in the belief that they are the one and only server.gilliland.com server.
  Now, as longs are you are already relying on DNS (meaning nothing is linked via IP), then you can completely build you entire new OD cluster while the old systems is still running.  DHCP will tell everyone to use DNS from the old server.  You new servers will be configured with new DNS and they will all be in on the new secret.  When you are ready to make the migration to the new cluster, change DHCP and push new DNS out to the clients.  As long as they connect by name (server.gilliland.com) they will not miss a beat.
  Depending on your services, this can be done with almost no downtime.  Got lots of data?  rsync it.  The biggest headache you will have is likely the mail migration.  That is a torture I wish on no one.  Make sure you have a backup plan, a regression plan, a head for the border plan, and then an alternate plan for when all of those plans fall apart.  I also suggest closing your port forwards on the firewall when you decide to move mail.  This will allow you to validate the migration without new mail coming in.  Thus, if something goes wrong, but not completely "the sky is falling" wrong, then you can restore the old server, open the firewall, and live to try again another day.
  Reid
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
  Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

• Same certificates for two servers using Sun Java WS 6.1sp5 with Crypto card

  Hi,
  I have 2 Sun java webserver 6.1 sp5 installed on two machines as :
  Single webserver1 instance on hostmachine1
  Single webserver1 instance on hostmachine2.
  (both instance names are same)
  I have created server certificate and installed it using External cryptographic module: Sun Crypto Accelerator 500 on hostmachine1.
  It is perfectly working fine.
  Now,for hostmachine2, I created trust database with same password as for hostmachine1, I copied the two files
  https-webserver1-hostmachine1-key3.db and
  https-webserver1-hostmachine1-cert8.db from hostmachines1 and then put on the hostmachines2 (in an serverroot/alias folder ) and then renamed them as
  https-webserver1-hostmachine2-key3.db and
  https-webserver1-hostmachine2-cert8.db
  Then I went to preferences->Edit socket listen, but security was disabled.
  I restarted the webserver, but security was still disabled.
  What is the problem??
  Please inform me as well as at my email address [email protected]
  Please do reply me as I am waiting anxiously.
  Thanks.
  Taqi

  Hello,
  The problem you are reporting is not expected.
  Hope you are not trying on admin server.
  I am not sure why you removed all files from alias directory.
  Please do the following in a fresh installation:-
  1) install ws6.1sp5.
  2) copy cert and key db from the working systems to the alias
  directory of the instance.
  3) move the db files to the new name (make this name right).
  4) through admin server GUI select instance (Manage server).
  5) go to edit listen socket.
  6) turn on security and select OK.
  7) then press Apply button.
  8) then press Apply changes.
  9) it will restart your instance server and will ask you for the password.
  10) supply the security password of the first server.
  11) it will restart your instance server in https mode.
  This works fine.

• How to install and config multi server certificates for hardware servers within one server instance(using different IP addresses?

   

  Hi,
  I hope your questions is like this.
  one instance is there, and want to install multiple server certs.
  Ans:-
  I don't think you can install individual certs for all of them. which is not possible, but you can install server certs for particular classes.
  In one instance,you can have multiple h/w virtual servers each binded to one ip.
  This is possible in iws 6.0,you can install different certs for different virtual classes.
  Thanks,
  Daks.

• SQL Agent jobs status for multiple servers using Powershell.

  Hi All,
  I am following website link:
  http://www.toadworld.com/platforms/sql-server/b/weblog/archive/2013/09/17/powershell-script-to-monitor-a-service-on-a-group-of-servers-html-formatted-email-output.aspx
  I require to gather status details about all the SQL Agent jobs in the environment on multiple SQL Servers.
  I tried to edit the script using:
  [void][System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SMO")
  $sqlServerName = 'localhost\developer'
  $sqlServer = New-Object Microsoft.SqlServer.Management.Smo.Server($sqlServerName)
  foreach($job in $sqlServer.JobServer.Jobs)
      $job | select Name, OwnerLoginName, IsEnabled, LastRunDate, LastRunOutcome, DateCReated, DateLastModified
  but SQL Agent jobs are not reflecting in the mail output...
  requesting help...!!
  Thanks in Advance.
  Hunt

  I've created a new script for you.  Let me know if you've any questions
  Create the function
  Function Get-SQLJobHTMLReport
  param(
  [String]$ComputerList,[string]$Outputfile,[String]$To,[String]$From,[string]$SMTPMail
  New-Item -ItemType file $Outputfile -Force
  # Function to write the HTML Header to the file
  Function writeHtmlHeader
  param($fileName)
  $date = ( get-date ).ToString(‘yyyy/MM/dd’)
  Add-Content $fileName “<html>”
  Add-Content $fileName “<head>”
  Add-Content $fileName “<meta http-equiv=’Content-Type’ content=’text/html; charset=iso-8859-1′>”
  Add-Content $fileName ‘<title>Service Status Report </title>’
  add-content $fileName ‘<STYLE TYPE=”text/css”>’
  add-content $fileName “<!–”
  add-content $fileName “td {“
  add-content $fileName “font-family: Tahoma;”
  add-content $fileName “font-size: 11px;”
  add-content $fileName “border-top: 1px solid #999999;”
  add-content $fileName “border-right: 1px solid #999999;”
  add-content $fileName “border-bottom: 1px solid #999999;”
  add-content $fileName “border-left: 1px solid #999999;”
  add-content $fileName “padding-top: 0px;”
  add-content $fileName “padding-right: 0px;”
  add-content $fileName “padding-bottom: 0px;”
  add-content $fileName “padding-left: 0px;”
  add-content $fileName “}”
  add-content $fileName “body {“
  add-content $fileName “margin-left: 5px;”
  add-content $fileName “margin-top: 5px;”
  add-content $fileName “margin-right: 0px;”
  add-content $fileName “margin-bottom: 10px;”
  add-content $fileName “”
  add-content $fileName “table {“
  add-content $fileName “border: thin solid #000000;”
  add-content $fileName “}”
  add-content $fileName “–>”
  add-content $fileName “</style>”
  Add-Content $fileName “</head>”
  Add-Content $fileName “<body>”
  add-content $fileName “<table width=’100%’>”
  add-content $fileName “<tr bgcolor=’#CCCCCC’>”
  add-content $fileName “<td colspan=’4′ height=’25′ align=’center’>”
  add-content $fileName “</td>”
  add-content $fileName “</tr>”
  add-content $fileName “</table>”
  # Function to write the HTML Header to the file
  Function writeTableHeader
  param($fileName)
  Add-Content $fileName “<tr bgcolor=#CCCCCC>”
  Add-Content $fileName “<td width=’10%’ align=’center’>ServerName</td>”
  Add-Content $fileName “<td width=’50%’ align=’center’>Name</td>”
  Add-Content $fileName “<td width=’10%’ align=’center’>OwnerLoginName</td>”
  Add-Content $fileName “<td width=’10%’ align=’center’>IsEnabled</td>”
  Add-Content $fileName “<td width=’10%’ align=’center’>LastRunDate</td>”
  Add-Content $fileName “<td width=’10%’ align=’center’>LastRunOutcome</td>”
  Add-Content $fileName “<td width=’10%’ align=’center’>DateCReated</td>”
  Add-Content $fileName “<td width=’10%’ align=’center’>DateLastModified</td>”
  Add-Content $fileName “</tr>”
  Function writeHtmlFooter
  param($fileName)
  Add-Content $fileName “</body>”
  Add-Content $fileName “</html>”
  Function writeDiskInfo
  param($filename,$Servername,$name,$OwnerLoginName,$IsEnabled,$LastRunDate,$LastRunOutcome,$DateCReated,$DateLastModified)
  Add-Content $fileName “<tr>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$servername</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$name</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$OwnerLoginName</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$IsEnabled</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$LastRunDate</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$LastRunOutcome</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$DateCReated</td>”
  Add-Content $fileName “<td bgcolor=’#FF0000′ align=left ><b>$DateLastModified</td>”
  Add-Content $fileName “</tr>”
  writeHtmlHeader $Outputfile
  Add-Content $Outputfile “<table width=’100%’><tbody>”
  Add-Content $Outputfile “<tr bgcolor=’#CCCCCC’>”
  Add-Content $Outputfile “<td width=’100%’ align=’center’ colSpan=8><font face=’tahoma’ color=’#003399′ size=’2′><center><strong> SQL Server Agent Job Details</strong></font></td>”
  Add-Content $Outputfile “</tr>”
  writeTableHeader $Outputfile
  #Change value of the following parameter as needed
  Foreach($ServerName in (Get-Content $ComputerList))
  $sqlServer = New-Object Microsoft.SqlServer.Management.Smo.Server($ServerName)
  foreach($item in $sqlServer.JobServer.Jobs)
  Write-Host $sqlServer $item.name $item.OwnerLoginName $item.IsEnabled $item.LastRunDate $item.LastRunOutcome $item.DateCReated $item.DateLastModified
  writeDiskInfo $Outputfile $sqlServer $item.name $item.OwnerLoginName $item.IsEnabled $item.LastRunDate $item.LastRunOutcome $item.DateCReated $item.DateLastModified
  Add-Content $Outputfile “</table>”
  writeHtmlFooter $Outputfile
  Function sendEmail
  param($from,$to,$subject,$smtphost,$htmlFileName)
  [string]$receipients=”$to”
  $body = Get-Content $htmlFileName
  $body = New-Object System.Net.Mail.MailMessage $from, $receipients, $subject, $body
  $body.isBodyhtml = $true
  $smtpServer = $smtphost
  $smtp = new-object Net.Mail.SmtpClient($smtphost)
  $smtp.Send($body)
  write-output “Email Sent!!”
  $date = ( get-date ).ToString(‘yyyy/MM/dd’)
  sendEmail -from $From -to $to -subject “Service Status – $Date” -smtphost $SMTPMail -htmlfilename $Outputfile
  Get-SQLJobHTMLReport -ComputerList f:\powersql\server.txt -SMTPMail hq.abc.com -To [email protected] -From [email protected] -Outputfile F:\Powersql\jobs.htm
  --Prashanth

• CSS11501 - URL Redirect for Multiple Servers For Both Ports 80 & 443

  Can the CSS rules be configured such that it can be used to direct requests to different Web servers based upon,
  URL path? 
  For Both Ports 80 & 443/HTTPS (with SSL Certificate running on the back-end servers)
  For example:
  http://app.ti.com/path1/file.html goes to Web servers A & B -> old servers
  https://app.ti.com/path1/file.html goes to Web servers A & B -> "
  http://app.ti.com/path2/file.html goes to Web servers C & D -> new servers
  https://app.ti.com/path2/file.html goes to Web servers C & D -> "
  We're trying to understand what are plans are for a phased migration from old site to new site, and if it requires new URLs ???
  Fort port 443, since the CSS is load balancing SSL encrypted traffic, is the means that the CSS can’t look at URL thus this is not possible?
  Please help, thanks.

  Hi Martin,
  1) Clients are using http://domain/, thus I need to define url "//domain/.." as you have stated.
  2) I'm still waiting for the "actual" URL paths from the application team in order to decide which method to use - Regexp vs URLQ definition - to begin testing.
  I know I have limited memory resource (as listed below) & will try not to make it complicated:
  System Resources for CSS501-SCM-INT:
  Installed Memory:   268,435,456 (256 MB)
  Free Memory:        135,414,448 (129 MB)  ****
  CPU:                0% (5Sec)     1% (1Min)     0% (5Min)
  Buffer Statistics:
  Buffer Pool: 0
     Size:2048  Total:3072  Available:2792  Failures:  0  Low Buffer Count: 2748
  Buffer Pool: 1
     Size:2048  Total:3072  Available:2800  Failures:  0  Low Buffer Count: 2800
  Buffer Pool: 2
     Size:2048  Total:2048  Available:1956  Failures:  0  Low Buffer Count: 1900
  Thanks Martin, you've been a big help!
  Diane Ly  

• Open same port for multiple servers.

  I am sorry if this sounds rudimentary, but I wanted to make sure. I want to open up port 80 to more than one web server. I already have port 80 open on one public IP address and have another one ready to use for another server. My assumption is that I should just be able to create a policy using the additional IP address and use port 80 without any issues. Is that correct to assume? I would also like to know, how one would do this is they only had one public IP address. I believe these should be relatively easy questions for the experts here. Thanks.  

  If you have a netblock from which you can assign multiple IP addresses then, yes - just asign additional access-list entries and static NAT entries.
  If you only had a single (or limited number all in use) public IP address then you would have to use some sort of PAT (port address translation). for instance:
  server 0 is <outside address>:80
  server 1 is <outside address>:81
  server 2 is <outside address>:82
  ..etc. Your remote users would then have to specify the non-default port (80/81/82) when browsing to the site.

• Best way to configure search toplogoy for multiple servers farm??

  Hi,
  My farm environment is 2 WFE and 2 App servers. Right now i am trying to configure Search Topology. what will be the best way to configure the search topology for this farm, so that query and crawling will be working perfectly. one thing i noticed with my
  previous search application Crawl DB had grown 140 GB, i dont know why it happened. please look at the following screen shot, this the current topology but i want to distribute component to different server.
  Any help will be appreciated!!

  The best topology depends on whether you want it to be fault tolerant or not. For a fault tolerant design with this number of servers I normally create two Index Partitions 0 and 1 with each on one of the App servers.  I then create Replicas of each
  partition on the front end servers. I then put the query role on both web fronts ends and the crawl role on both Ap servers.  So I end up with the following:
  FE1 = Index Replica 0 + Query
  FE2 = Index Replica 1 + Query
  Ap1 = Index 0 + Crawl
  Ap2 = Index 1 + Crawl
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.