Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

Similar Messages

• Question about Kurts comments discussing the seperation of AIA & CDP - Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy - Kurt L Hudson MSFT

  Question about the sentence in bold. What is the meaning behind this comment?
  How would you separate the role of the AIA and CDP from a CA subordinate server? I can see where I add a CES and CEP server which has those as well, but I don't completely understand his comment. Because in this second step, (http://technet.microsoft.com/en-us/library/tlg-key-based-renewal.aspx)
  he shows how to implement CES and CEP.
  This is from the guide located at: http://technet.microsoft.com/library/hh831348.aspx
  Step 3: Configure APP1 to distribute certificates and CRLs
  In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://www.contoso.com/pki. Currently, there is not a PKI virtual directory on APP1, so one must be created.
  In a production environment, you would typically separate the issuing CA role from the role of hosting the AIA and CDP.
  However, this lab combines both in order to reduce the number of resources needed to complete the lab.
  Thanks,
  James

  My concern is, they have a 2-3k base of xp systems, over this year they are migrating them to Windows 7. During this time they will also be upgrading hardware for the existing windows 7 machines. The turnover of certificates are going to be high, which
  from what I've read here, it worries me.
  http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx
  The application then can go to those locations to download the CRL. There are, however, some potential issues with this scenario. CRLs over time can get rather large
  depending on the number of certificates issued and revoked. If CRLs grow to a large size, and many clients have to download CRLs, this can have a negative impact on network performance. More importantly, by
  default Windows clients will timeout after 15 seconds while trying to download a CRL. Additionally,
  CRLs have information about every currently valid certificate that has been revoked, which is an excessive amount of data given the fact that an application may only need the revocation status for a few certificates. So,
  aside from downloading the CRL, the application or the OS has to parse the CRL and find a match for the serial number of the certificate that has been revoked.
  With the above limitations, which mostly revolve around scalability, it is clear that there are some drawbacks to using CRLs. Hence, the introduction of Online Certificate
  Status Protocol (OCSP). OCSP reduces the overhead associated with CRLs. There are server/client components to OCSP: The OCSP responder, which is the server component, and the OCSP Client. The OCSP Responder accepts status
  requests from OCSP Clients. When the OCSP Responder receives the request from the client it then needs to determine the status of the certificate using the serial number presented by the client. First the OCSP Responder determines if it has any cached responses
  for the same request. If it does, it can then send that response to the client. If there is no cached response, the OCSP Responder then checks to see if it has the CRL issued by the CA cached locally on the OCSP. If it does, it can check the revocation status
  locally, and send a response to the client stating whether the certificate is valid or revoked. The response is signed by the OCSP Signing Certificate that is selected during installation. If the OCSP does not have the CRL cached locally, the OCSP Responder
  can retrieve the CRL from the CDP locations listed in the certificate. The OCSP Responder then can parse the CRL to determine the revocation status, and send the appropriate response to the client.

• OCSP Location Error - Single Tier PKI Hierarchy Deployment

  I am building a Single Tier PKI Hierarchy Deployment following the Step by Step Guide - Single Tier PKI Hierarchy Deployment guide. Everything is showing up "OK" except OCSP Location.<o:p></o:p>
  I tried adding AIA location as:<o:p></o:p>
  HTTP://<SERVER_NAME>/ocsp<o:p></o:p>
  HTTP://<FQDN>/ocsp<o:p></o:p>
  HTTP://PKI/ocsp
  HTTP:// pki. domain/ ocsp
  All combinations still show error. The root CA is greet, there is an error on Enterprise PKI.
  On the OCSP Server Provider settings I have HTTP:// pki. domain/ ocsp and LDAP.
  CA Server has the CA Role, Web server has ADCS Online Responder and Web Enrollment. 2008 R2 domain, all servers are 2008R2 Enterprise, patched.
  Any help would be greatly appreciated. I have search quite a but and have not found anything that worked.

  Hi,
  I suggest you check OCSP Responder Management console to see if it reports OK status.
  If not, you may try to revoke the current CA exchange certificate used by the OCSP responder, delete the existing OCSP connection and re-configure it.
  More information for you:
  Failing OCSP location
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/7fdf313b-74e3-4bb2-bfbe-3bc16d14f3bb/failing-ocsp-location?forum=winserversecurity
  OCSP error when verifying with Enterprise PKI MMC (PKIVEW)
   http://blogs.technet.com/b/instan/archive/2011/02/03/ocsp-error-when-verifying-with-enterprise-pki-mmc-pkivew.aspx
  OCSP Location Error PKI
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/0466a65a-b118-4758-8c87-0ba25f060df3/ocsp-location-error-pki?forum=winserversecurity
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• TEST LAB Guide: Demonstrating Certificate Key-based Renewal from Kurt Hudson updated 24 june 2013

  Hi all,
  We have been working since a full week building and rebuilding on different platforms this test lab and we have encountered a lot of different errors. (3 platforms are running)
  One of our test lab went nearly up to the last point but we have been unable to get rid of the error : access denied by the remote end point when we test the certificate web enrolment. This error seems well known but not the solution and the reason why.
  On two other similar Test labs we had errors with certificate invalid while asking the certificate Internet Server while it was the same as the one which was working above! This was strange as we used the clone of the certificate working on the previous
  lab.
  the other third error was below.....
  We are sure that some of you have been able to get rid of these kind of errors so as to have a final lab running properly to be able to build POC on client's premises.
  Kind regards
  Gerard Dumazet
  [email protected]
  gd

  Hi all
  We have rebuilt a fourth TLG without using PowerShell and with only the GUI. Everything is working now.....
  If anyone as an idea why,  he will be welcome! It's not encouraging for using the scripts!
  Gerard Dumazet
  gd

• SCCM 2012 Test Lab Setup Questions...

  Hi all,
  I'm trying to set up a SCCM test lab with VMs so I can test deployment of our software package (.msi).  I downloaded the System Center 2012: Configuration Manager Test Lab Guide, which appears to consist of the following required machine setups...
  -One server running System Center 2012 Configuration Manager named CM1. CM1 uses the Windows Server 2008 R2 SP1 Enterprise Edition operating system.
  -One pre-existing server running SQL Server 2008 R2 Enterprise named APP1. APP1 uses the Windows Server 2008 R2 SP1 Enterprise Edition operating system.
  -One pre-existing client running on Windows 7 Ultimate Edition named CLIENT1.
  From this document, the first step is to Complete the Base Configuration.  When I download that document, it lists the following needed systems...
  One computer running Windows Server 2008 R2 Enterprise Edition named
  DC1 that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority
  (CA).
  One intranet member server running Windows Server 2008 R2 Enterprise Edition named
  APP1 that is configured as a general application and web server with secure sockets layer (SSL) support. APP1 also hosts the certificate revocation list (CRL) for the enterprise root CA
  installed on DC1.
  One roaming member client computer running Windows 7 Enterprise or Ultimate named
  CLIENT1.
  One intranet member server running Windows Server 2008 R2 Enterprise Edition named EDGE1 that is configured as an Internet edge server.
  One standalone server running Windows Server 2008 R2 Enterprise Edition named
  INET1 that is configured as an Internet DNS server, web server, and DHCP server.
  The Base Configuration test lab consists of two subnets that simulate the following:
  The Internet, referred to as the Internet subnet (131.107.0.0/24).
  An intranet, referred to as the Corpnet subnet (10.0.0.0/24), separated from the Internet subnet by EDGE1.
  My question(s)...  How many separate VMs are required to set up the test lab, 7?  Or are APP1 & CLIENT1 the same system for both setup guides, which I guess would bring the total of needed systems/vms to 5?
  Can any of the images serve a dual purpose to lessen the number needed even further?
  Any information would be greatly appreciated!
  THANKS IN ADVANCE!!

  There's no correct answer here as ConfigMgr itself can run on a single server or its roles can be spread out to many different servers. Ultimately, in a pure lab, there is rarely a reason to use more than a single server unless you are trying to simulate
  a production deployment where the roles have been separated.
  This single server doesn't include a DC though (as the ConfigMgr site server must be a member of an AD domain) or a client to manage though so that brings the total up to 3. You technically could put the ConfigMgr site server on the DC; however, that
  is rarely done in production and cause a few unique configuration issues. You could also treat the DC as your managed client but that's typically not a great use case for testing client management.
  I have no idea what lab guide you are following, but remember the lab guide is set up to walk you through many different scenarios -- some of which you many not care about. ConfigMgr is a huge and complex application that can be installed in many, many different
  configurations based upon the goals of the installation and the organization it supports so it ultimately depends upon exactly what you are after. I'd suggested doing some additional supplemental reading like TechNet and/or one of the publishes books
  available instead of just blindly following the lab guide. That's not to say the lab guide doesn't have value, but if you want to follow it, then you need to follow it.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Where To Download Base Configuration ISO(s) For Test Labs?

  Hi.
  Is there somewhere that I can download an ISO for the base configuration for the Test Labs outlined here:
  http://social.technet.microsoft.com/wiki/contents/articles/1262.test-lab-guides.aspx#Base_Configuration_TLG
  Or is it presumed that the reader of the Test Lab Guides will configure each machine themselves?  If so, why is this not communicated clearly in the Test Lab guides?

  Hi,
  Test Lab Guides is to let you use less to learn a new technology, product or an entire multi-tier solution, TLG provides you with step-by-step instructions to create the Base Configuration test lab. You could build test labs based on other
  TLGs from Microsoft and published in the TechNet Wiki, perform TLG extensions, or create a test lab of your own design that can include Microsoft or non-Microsoft products.
  For more frequently asked questions about Microsoft TLG:
  http://social.technet.microsoft.com/wiki/contents/articles/2477.test-lab-guides-faq.aspx
  Regards,
  Rebecca Tu
  TechNet Community Support

• DSL test lab w/ WIC-1ADSL

  Hi folks,
  I regularly configure Cisco 800-series routers for field deployment, and I'd love to be able to run through some simulations on the 8x7 ADSL series (837 and 877) in my test lab. I also have a few WIC-1ADSL modules for my 2600/2800 routers.
  I know that you can do back-to-back configurations with GHDSL wics, but it doesn't seem to be possible with the internal ADSL modems on the 800's and/or the WIC-1ADSL's.
  Can someone please point me in the right direction? I'm looking for the easiest & cheapest way to connect two 8x7's to each other via the ADSL (RJ-11) port, and/or to a WIC-1ADSL.
  I'm not necessarily interested in recreating/simulating an entire service-provider infrastructure (yet ;-), my initial goal is just straight connectivity. I'm /not/ familiar with ATM switch or DSLAM specs or configuration, but I'm willing to learn, however I can't spend days and days bringing myself up to speed. Again, getting the connectivity between the CPE devices is primary; the guts of DSL and any required jury-rigging are secondary.
  Thanks!

  The Cisco 850 series and Cisco 870 series routers support the dial backup function, which allows a user to connect an analog modem to the console port as a backup link to the WAN port in case the ADSL service goes down. Refer URL http://cisco.com/en/US/products/hw/routers/ps380/products_installation_guide_chapter09186a0080471067.html#wp1055766

• Equipment for building test lab

  Hello all,
  I'm looking for a little input on the two options I'm weighing for building my virtual test lab. If at all possible, I would rather not have my daily PC running my virtual lab, but I leave that option open. I'm thinking of purchasing a Dell PowerEdge 2950 II
  (from ebay), installing Windows Server 2008 R2, installing VM VirtualBox so that I can set up an Active Directory environment to prepare me for the MCITP exams. This option would allow me to conserve the resources of my daily PC. If I were to use my daily
  PC (I7 quad, 3GB RAM, 80GB SSD, and 1TB storage with only 200GB of free space) I would more than likely have increase RAM and buy another HDD to store the VMs. How much more trouble would it be to go the PowerEdge 2950 II route?
  Thanks.

  Hi,
  We recommend that you review the Windows Catalog to identify servers that are qualified for use with Hyper-V. You can identify systems that support the x64 architecture and
  Hyper-V by searching the Windows Server catalog. Personal advice is you’d better to buy the 2950III
  it’s the newer product.
  More information:
  Requirements and Limits for Virtual Machines and Hyper-V in Windows Server 2008 R2
  http://technet.microsoft.com/en-us/library/ee405267(WS.10).aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• UCCX 8.0 in test Lab

  Hello Folks,
  I'm going to install UCCX 8.0 in a test lab and I'm wondering what hardware other are using?
  I'm presuming that it needs ESXi4.0?  Do you have to use the full production specification of 2 x vCPU and 4GB RAM?  Or can you cut down the resources like you can for Call Manager in VMware?
  All advice greatfully received!
  LH

  Hello fella,
  Things are going pretty well at the moment.  How about yourself?
  I've not seen Daz for a little while now.  He's still over at Azzuri though!
  I've had a shot at installing UCCX into VMware Server 1.x and ESXi 3.5, but it keeps spitting out "The hardware you are using is not supported for this product".  I've had a shot at opening the ISO to have a look at what version of VMware it's expecting, but all of the HWXXXX files in \Cisco\vendor seem to be blank and just show "NULL" or blank when I open them.  Maybe that's why my hardware isn't supported if the file is knackered!
  Did you do anything special and do you know if those files are ok on your copy of UCCX?
  Hope you're not working too hard ;-)
  LH

• Problem in test lab

  Hi everyone,
  Just describe what i faced with.
  I solved to create CCR Exchange 2007 in my test lab, and faced with if i try to install these roles of exchange:
  cas1 - cas/hub
  mbx1, mbx2 - CCR MBXes 
  i got unwork configuration.
  Test users cannot send an email to himself, and inboud emails stuck in "Queue" "CAS1\Unreachable\XXX".
  But if i install all roles to cas1 and then create the cluster and migrate (or recreate mailboxes) all works find. 
  Unfortunatelly i cannot to solve that issue myself, i undesrtand that problem maybe in "routing group" or so on, but please show me right way if you know it. Thanks!

  Hi
  Are you running exchange 2007 with 2003 or 2010?
  Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  I am sorry, yes i use 2007 SP3 version.

• Is it possible to Publish Exchange 2010 behind TMG in Test Lab

  Hi
  I have Three Server 1 Domain 2 Exchange 2010 and TMG 2010 installed. All of these server installed on the virtual machine.
  This is a test Lab. I trying to Publish OWA behind the TMG Internally. Is it possible? if yes how ?
  I installed 2 NIC on TMG.

  Yes.
  See http://www.microsoft.com/en-us/download/details.aspx?id=8946 for instructions.
  Hth, Anders Janson Enfo Zipper

• HT4623 Hi..I recently bought an IPAD and I absolutely love it.  I have been Skyping w/my family during this deployment for the past two weeks until yesterday.  The camera on my side just stopped working.  I am able to see my family.  Any help.

  Hi..I recently bought an IPAD and I absolutely love it.  I have been Skyping w/my family during this deployment for the past two weeks until yesterday.  The camera on my side just stopped working.  I am able to see my family.  Any help.

  Try closing the Camera/Skype app:
  1. Double-click the Home button to reveal the Task Bar
  2. Hold down the Camera/Skype app for a second or two until you see the minus sign
  3. Tap the minus sign to close app
  4. Tap area above Task Bar to return to Home screen
  If the above doesn't solve the problem, do a reset:
  Hold the Sleep and Home button down for about 10 seconds until you see the Apple logo. Ignore the red slider

• Customizing email subject line in Test Lab

  Hi All,
  First ques:
  I am wondering for system site administration access do we need an advanced license  or enterprise dedicated license will aslo provide us access to use system site.
  Second Question:
  While sending an email from test lab using the email icon, it is showing default subject line can we customize this  default subject.  Also, how can we customize the format of email.
  Thanks,
  PS

  Hello, and Welcome to the HP Support Community!
  I have absolutely no idea what you are asking about, or which HP device you have...
  How to Ask the Very Best Question and Get Results.
  WyreNut
  I am a Volunteer here, not employed by HP.
  You too can become an HP Expert! Details HERE!
  If my post has helped you, click the Kudos Thumbs up!
  If it solved your issue, Click the "Accept as Solution" button so others can benefit from the question you asked!

• After successful execution from test lab,status is showing as not completed

  We need you help in resolving an ALM Issue. 
  After successful execution from test lab the Automatic Runner popup  shows as the test execution status as "Passed" ,But after closing the Automatic Runner popup  window the Tesl lab execution status is not updated and it shows as "not completed". Can you please look into this issue and provide the resolution...
  We Would appreciate for your valuable support.
  Before closing the Automatic Runner popup,Runner popupStatus:.
  After closing the Automatic Runner popup  window the Tesl lab execution status:

  The issue was related to Note 959209

• VMware test lab tasks?

  http://www.virtualizationadmin.comis a good place to start. The site has a lot of great information on your virtualization needs. Even has step by step instruction how to setup your first virtual machine.Check out the link below for info on VMware ESXi 5.5 with Ubuntu:http://www.virtualizationadmin.com/articles-tutorials/vmware-esx-and-vsphere-articles/installation-a...

  Hey everybody, I'm new to virtualization and my boss got me set up on a test lab. He had me install it and then install Ubuntu. He's been pretty busy so getting new tasks has been tough. I'm sure I've seen some posts about this but can't find them. Looking for some ideas to get me started on learning this system and virtualization. I'm running VMware ESXi 5.5. If you know of another thread just point in the right direction, otherwise shoot me some ideas. Thanks in advance.
  This topic first appeared in the Spiceworks Community