Netwrix Active Directory Change Reporter

May 7, 2013Krishna - MVPExchange 2007, Exchange 2010, Exchange 2013Leave a comment

Technorati Tags: Netwrix,Active Directory,Exchange,GPO,Report,Change auditing,Security auditing,Directory auditing,Systems Management,Compliance auditing,Configuration auditing

Auditing is one of the most complex activities of the Windows Active Directory. Monitoring the changes and reporting immediately makes it very challenging for administrators. I would say that Netwrix Active Directory Change Reporter is one of the best tools available in the market with comprehensive collection of features to audit changes in Active Directory and report on them. It has a very robust way of checking, if any modification/change was done to Active Directory objects. It uses both Active Directory event logs and also takes the Active Directory snapshot to compare the data and get a consolidated report on who made the changes, what was changed, when and where exactly. These changes are logged into a local database and are stored in the SQL server for reporting purposes. It is a unified solution for a complete Active Directory auditing, reporting and monitoring.

The Latest version of Netwrix Active Directory Change Reporter is 7.2.721 and it is available in two flavors, Freeware and the fully loaded Enterprise Edition. Free version has limited functionality features and can be used for an unlimited time period. Enterprise version has lots of auditing and reporting options which will make the life of an Active Directory administrator easier and allow him to get necessary data right in the finger tips. It can be evaluated free of charge for 20 days.

Netwrix Active Directory Change Reporter tool supports Active Directory starting from Windows 2000, Windows 2003, Windows 2008 and even the latest Windows 2012 Active Directory environment.

Requirements:

It has other basic technical requirements to function.

1. Intel or AMD Processor with Minimum of 2 GHz for 32 bit processor or 3 GHz for 64 bit processor is recommended

2. Memory 2 GB and above

3. Minimum of 50 GB disk for installation and an addition space for user, event and other necessary logs.

4. Active Directory permission to query an Active Directory

5. SQL server – SQL server 2005 Express Edition or above with an advanced service of SQL server, SQL server reporting tool and permission to generate reports.

6. Group policy management console to audit Active Directory Group Policy.

Required details of the tool can be found below link.

http://www.Netwrix.com/download/QuickStart/Active_Directory_Change_Reporter_Quick_Start.pdf

Native Active Directory tools do not provide a great flexibility to audit Active Directory changes and to report immediately. Raw data generated by the Windows native tools are always difficult to understand, analyze and it is an extremely time consuming process to analyze tons of logs. Most the times it is too late to analyze the logs as they would be overwritten. Netwrix solution for Active Directory Auditing overcomes these problems by saving the data in the SQL server.

There are also agents available for installing on the domain controller and these agents are optional. It helps to compress the data across the network and it is necessary if a change reporting tool is collecting data over the slow network but it should not make much of a difference if you are on a high speed network. Definitely it would be recommended to have agents installed in order to make the best utilization of all available networks.

Netwrix Active Directory Change Reporter also has some supporting tools like Group Policy Change reporter and Exchange Change Reporter. These two go very well with the Active Directory Change Reporter. Group Policy changes are critical and must be executed very carefully. Any mistake in Group Policy changes can have a big impact and not everyone in the organization has permission to modify the Group Policy. Netwrix Group Policy Change Reporter comes in handy to get complete details of the GPO with the details like who made the change, when was it made and also has details about “before and after” values more modified settings.

Exchange Change Reporter is another additional great component. Exchange is one of the business critical application and any downtime will have a major impact on an organization. Exchange Change Reporter keeps track of any addition, deletion, modification of the exchange attributes and generates reports on the changes. It also provides details about “before and after” values. The tool supports the earlier version of an exchange like the Exchange 2003, 2007 and 2010. The latest version of the Exchange Change Reporter supports Microsoft Exchange Server 2013 environment, which is one of the latest promising product of Microsoft.

Let’s understand some of the features of Netwrix Active Directory Change Reporter and what it can do for us.

It provides in-depth change details about every Active Directory object, its attributes and also includes security changes. Changes can be addition, deletion or modification of Active Directory objects and It includes complete details like, who made the changed, what was changed and where.

It provides a real time reporting where an administrator or the security team can be notified with an email or SMS immediately after the change is detected. It also integrates with Microsoft SCOM using SCOM Management pack which captures Active Directory data and feeds into the SCOM for reporting and alerting. It also provides flexibility to integrate with other third party reporting tools available in your organization.

All reporting information is stored in SQL Server, where an administrator can manually query, generate custom and automated reports. Reporting is one of the key features and it can generate some predefined reports for the purpose of compliance regulations like SOX, HIPAA, GLBA, and FISMA. As these regulations require storing the data for later review the tool provides the long-term storage option. These long-term storages can be also at different servers other than the SQL server. By default, the long-term audit archiving is done for 24 months and these settings can be changed, if required. It can also generate daily reports with all the change details performed during the previous day. The product provides an administrator with a console view and gives a great flexibility to query and generate reports with ease.

Any kinds of accidental changes have to be rolled back immediately and this tool provides option to roll back all accidental or unwanted changes using roll back wizard. Performing this kind of roll back/restore operation using native windows tool is cumbersome and has many limitations. This tool performs a smooth, quick and an easy roll back from all kinds of accidental or unwanted changes. This overcomes any downtime, security risk or ill effects caused due to accidental changes.

It can be easily installed on any workstation with latest Windows OS like Windows 8 or on a server OS like windows 2012. It just has to be setup once and it runs forever. It can query and manage multiple domains from a single installed machine and can even manage multiple domains with its own unique settings. This gives lot of flexibility to manage and modify the settings based on the business requirement.

It provides an easy option to query and generate default and custom reports from the management console. It has got all necessary filters like timelines (from-date and to-date), types/kind of changes, where the changes were made and it also provides an option to specify an individual domain and individual forest. It has a great flexibility, which helps to get any data from any domain and any forest within no time. Finally, once you have all the data in the report then it can be easily exported into CSV, Excel, PDF, Word or even a Tiff format.

Reports come in an easy understandable format with color coding. Actions like adding, removing, modifying all highlighted with different colors. Most importantly, it gives clear information on who made these changes, when they were made and what was done. With this you can find all the necessary data/reports from one location and you really don’t have to depend on multiple logs or have in-depth knowledge to analyses and understand the logs from different locations.

Active Directory snapshot is one of the best features of this tool. It takes Active Directory snapshot at multiple points and keeps it in the database. It helps to look back at a specific AD object and what settings were in the past. These details can be viewed through reporting custom queries and these come under an advance reporting tool that requires some configuration before using it.

Real-time altering is one of the key components for any reporting tool to notify on any critical changes. By default Netwrix Active Directory Change Reporter provides the real-time alerts option for the below mentioned groups and you can also add more users or groups, if necessary.
· Changes to Admin Group
· Changes to Domain Configuration
· Changes to any Active Directory Object

These real-time alerts can be sent via email or a text message right to the mobile device.

Netwrix Active Directory Change Reporter is very easy to install and configure. It needs some necessary configurations to function as required and these configurations can be made easily using wizards. Supported by other tools like Group Policy Change Reporter and Exchange Change Reporter it provides a great management option for IT administrators and security team. It will save a lot of time and energy of the administrator helping to avoid writing custom scripts or manual/LDAP queries to get the data for auditing or management purposes.

With this, I would like to finish my article saying that “Netwrix Active Directory Change Reporter is a great tool which is helpful for IT administrators and security teams”.

Use this link download Netwrix Active Directory Change Reporter: http://www.netwrix.com/active_directory_change_reporting_freeware.html

Gal Sync between exchange 2003 and Exchange 2007 – Part 2

April 17, 2013Krishna - MVPExchange 2007Leave a comment

This article is continuation of part 1 to configure Gal Sync between Exchange 2003 and Exchange 2007. Please refer this link before coming to part 2

3. Creating and Configure IIFP Management Agents

3.1. Creating and Configuring Red.com – GAL MA
1. Login to IIFP Server, open Identity Manager.
2. From the Tools menu, click Management Agents.
3. From the Actions menu, click Create.
4. In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL) (from the pull down).
5. In Name, type “Red GAL MA” and click Next.
6. On the “Connect to an Active Directory forest” page, type the values for
7. Forest name = Red.com
8. User name = redgalsync
9. Password = xxxxx
10. Domain = Red.com
11. Click on options and clear the Sign and encrypt LDAP traffic check box and click Next
12. On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed
13. Clear the Sign and encrypt LDAP traffic check box and select Containers
14. Clear the check box next to the directory partition to clear all organizational units under the directory partition
15. Select “Blue” and all other OU where users and DL accounts are based.
16. Click OK to and click Next
17. On the “Configure GAL” page click on Target container and select the “Contacts” OU which is under Blue OU and click on OK
18. Click on “Source” and select all the OUs where user’s mailbox and DLs are based and click on OK
19. Click on Edit under Exchange Configuration and add DNS suffix @blue.com and click on OK and click Next to continue
20. On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Default settings are taken and Click Next.
21. On the Select Attributes page, verify that the attributes required for GAL synchronization are selected. Default settings are taken and Click Next.
22. On the Configure Connector Filter page, verify that the connector filters required for GAL synchronization are specified. Default settings are taken and Click Next.
23. On the Configure Join and Projection Rules page, verify that the four join and projection rules for GAL synchronization are specified. Default settings are taken and Next
24. In Configure Attribute Flow, verify that the five attribute flow mappings for GAL synchronization are specified. Default settings are taken and click Next
25. On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected and click on Next
On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified and click on Finish
3.2. Creating and Configuring Blue.com – GAL MA
1. Login to IIFP Server, open Identity Manager.
2. From the Tools menu, click Management Agents.
3. From the Actions menu, click Create.
4. In Management Agent Designer, in Management agent for, click Active Directory global address list (GAL) (from the pull down).
5. In Name, type “Blue GAL MA” and click Next.
6. On the “Connect to an Active Directory forest” page, type the values for
7. Forest name = Blue.com
8. User name = bluegalsync
9. Password = xxxxx
10. Domain = blue.com
11. Click on options and clear the Sign and encrypt LDAP traffic check box and click Next
12. On the Configure Directory Partitions page, in Select directory partitions, select the only partition listed
13. Clear the Sign and encrypt LDAP traffic check box and select Containers
14. Clear the check box next to the directory partition to clear all organizational units under the directory partition
15. Select “Red” and all other OU where users and DL accounts are based.
16. Click OK to and click Next
17. On the “Configure GAL” page click on Target container and select “Contacts” OU which is under RED OU and click on OK
18. Click on “Source” and select all the OUs where red.com user’s mailbox and DLs are based and click on OK
19. Click on Edit under Exchange Configuration and add DNS suffix @red.com and click on OK and click Next to continue
20. On the Select Object Types page, verify that the object types required for GAL synchronization are selected. Default settings are taken and Click Next.
21. On the Select Attributes page, verify that the attributes required for GAL synchronization are selected. Default settings are taken and Click Next.
22. On the Configure Connector Filter page, verify that the connector filters required for GAL synchronization are specified. Default settings are taken and Click Next.
23. On the Configure Join and Projection Rules page, verify that the four join and projection rules for GAL synchronization are specified. Default settings are taken and Next
24. In Configure Attribute Flow, verify that the five attribute flow mappings for GAL synchronization are specified. Default settings are taken and click Next
25. On the Configure Deprovisioning page, in Deprovisioning Options, verify that the Determine with a rules extension option is selected and click on Next
On the Configure Extensions page, in Assembly name, verify that the GALSync.dll file is specified and click on Finish

4. Enable Provisioning

1. Open Identity Manager

2. From the Tools menu, click Options.

3. Under Metaverse Rules Extensions, ensure that the Enable metaverse rules extensions check box is selected.

4. In the box located next to Rules extension name, ensure GALSync.dll is present.

5. Select the check box next to Enable Provisioning Rules Extensions to enable provisioning rules extension to be used with the GAL synchronization management agent.

6. Click OK.

Hope you like the article 🙂

Technorati Tags: GAl sync,IIPF,Exchange 2007,exchange 2003

Gal Sync between exchange 2003 and Exchange 2007 – Part 1

April 17, 2013Krishna - MVPExchange 2003, Exchange 2007Leave a comment

This document is to provide step by step instruction to GAL Sync between Red.com (Exchange 2003) and Blue.com (Exchange 2007 ) organization using IIFP SP2

This document is majorly divided into 4 parts

1. Installing and configuration IIFP

2. Preparing and configuring Active Directory on both Red.com and Blue.com

3. Creating and configuration MA Agents to create mail enabled contacts in both Active directory forest

4. Executing and scheduling MA profiles

Lets talk each of the parts in detail

1. Installing and Configuration IIFP

Follow these steps in order to build and setup IIFP on a Windows Server on any of the domain, either red.com or blue.com

1. Install Windows 2003 R2 enterprise edition and configure server as per best practice

2. Join the server to the domain

3. Install IIS, ASP.net 2.0

4. Install Microsoft SQL Server 2005 with SP1

5. Install Identity Integration Feature Pack SP2

6. Run Microsoft Updates to bring system up to latest patch levels.

2. Creating and Configuring Blue.com – GAL MA

2.1 Configuring Red.com Active Director
1. Login to Red.com domain controller
2. From Start, click Administrative Tools; click Active Directory Users and Computers.
3. Select View from the top drop down menu and select Advanced Features.
4. Create new user “RedGalsync” with password and ensure that password is set not to expire and not to change the password for next logon
5. Select RED.COM and right-click, select Delegate Control
6. On the Welcome to the Delegation of Control Wizard page click Next.
7. On the Users or Groups page click Add.
8. On the Select Users, Computers, or Groups dialog box type “RedGalsync” and click OK.
9. On the Users or Groups page click Next.
10. On the Tasks to Delegate page select create a custom task to delegate, and click Next.
11. On the Active Directory Object Type page except the defaults and click Next.
12. On the Permissions page select General, Property-specific, and Creation/deletion of specific child objects, under permissions select Replicate Directory Changes and Replication Synchronization, and click Next.
13. On the Completing to the Delegation of Control Wizard page click Finish.
14. Create new OU with the name “Blue” under root and create sub OU “Contacts”
15. Right-click the Contacts OU and select Properties.
16. On the Contacts Properties dialog box click Security.
17. On the Contacts Properties dialog box click Add.
18. On the Select Users, Computers, or Groups dialog box type “REDGalsync” and click OK.
19. On the Contacts Properties dialog box select Read, Write, Create All Child Objects, and Delete All Child Objects, and then click OK. Make sure to Apply to this child and all objects.
20. Open ADSIEdit and navigate to the container “Blue”
21. Right-click on OU “Contacts” and select Properties.
22. Click on the Security tab, and click Advanced.
23. Choose to Add an ACE.
24. Specify REDGalsync to apply the permissions to. This will display the permissions dialog.
25. Click on Properties.
26. Drop down the Apply Onto dropdown box and select Child Objects Only.
27. Scroll down and mark Write proxyAddresses – Allow.
28. Choose to save the properties. This permission will be applied to every child object whose Allow inheritable permissions from the parent to propagate to this object and all child objects option is selected. This is located in the user’s Advanced Security property sheet. Any user that does not have this selected will not have the permissions granted to it

2.2 Configuring Blue.com Active Director
1. Login to Blue.com domain controller
2. From Start, click Administrative Tools; click Active Directory Users and Computers.
3. Select View from the top drop down menu and select Advanced Features.
4. Create new user “BlueGalsync” with password and ensure that password is set not to expire and not to change the password for next logon
5. Select Blue.com and right-click, select Delegate Control
6. On the Welcome to the Delegation of Control Wizard page click Next.
7. On the Users or Groups page click Add.
8. On the Select Users, Computers, or Groups dialog box type “BlueGalsync” and click OK.
9. On the Users or Groups page click Next.
10. On the Tasks to Delegate page select create a custom task to delegate, and click Next.
11. On the Active Directory Object Type page except the defaults and click Next.
12. On the Permissions page select General, Property-specific, and Creation/deletion of specific child objects, under permissions select Replicate Directory Changes and Replication Synchronization, and click Next.
13. On the Completing to the Delegation of Control Wizard page click Finish.
14. Create new OU with the name “Red” under root and create sub OU “Contacts”
15. Right-click the Contacts OU and select Properties.
16. On the Contacts Properties dialog box click Security.
17. On the Contacts Properties dialog box click Add.
18. On the Select Users, Computers, or Groups dialog box type BlueGalsync and click OK.
19. On the Contacts Properties dialog box select Read, Write, Create All Child Objects, and Delete All Child Objects, and then click OK. Make sure to Apply to this child and all objects.
20. Open ADSIEdit and navigate to the container name “Red”
21. Right-click on OU “Contacts” and select Properties.
22. Click on the Security tab, and click Advanced.
23. Choose to Add an ACE.
24. Specify BlueGalsync to apply the permissions to. This will display the permissions dialog.
25. Click on Properties.
26. Drop down the Apply Onto dropdown box and select Child Objects Only.
27. Scroll down and mark Write proxyAddresses – Allow.
28. Choose to save the properties. This permission will be applied to every child object whose Allow inheritable permissions from the parent to propagate to this object and all child objects option is selected. This is located in the user’s Advanced Security property sheet. Any user that does not have this selected will not have the permissions granted to it

Exchange Autodiscover in a multi- forest environment

April 7, 2013Krishna - MVPExchange 2007, Exchange 2010, Exchange 2013Leave a comment

Most of the organization have Exchange multi-forest environment. Organization could be in multi forest environment because of the merger and acquisition or it could be because of security reason. Auto discover is the new feature introduced in Exchange 2007 and its been carried forward in all the subsequent version of exchange like Exchange 2010 and Exchange 2013.

Below link should give you good understanding on the information about

Exchange Autodiscover in a multi-forest environment 1

Exchange Autodiscover in a multi-forest environment 2

Hope you got some good understanding on Autodiscover in Exchange 🙂

Technorati Tags: autodiscover,multi forest,cross forest,scp,ldap

Exchange Jetstress – Determine maximum disk subsystem throughput

April 7, 2013Krishna - MVPExchange 2007, Exchange 2010, Exchange 2013Leave a comment

JetStress is a tool for Architects and administrator to test the storage if it can suites your requirement. Through understanding of the Jetstress is important. Proper desiging and right testing with Jetstress make your design a robust solution.

Link: Determine throughput of disk subsystem using Jetstress

Technorati Tags: Jetstress,throughput,disk,jbod,design,storage

How Outlook uses RPC and AB static ports to connect to Exchange

April 7, 2013Krishna - MVPExchange 2007, Exchange 2010Leave a comment

Technorati Tags: Exchange 2010,Outlook,RPC,AB,Static port,connection

Every one uses outlook and do you how outlook connect to the exchange server and how it access the emails from the server ?

Here is one of the article to give you a better understanding on same.

Link : How outlook connects to Exchange server

Hope you like this article 🙂

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 3

March 24, 2013Krishna - MVPWindows 2008, Windows 2008 R2Leave a comment

This is the last and final part with back-out procedure of step by step instruction for subordinate CA migration from windows server 2003 to windows server 2008 R2

1. Back-Out Procedure

In case of migration failure i.e. if the Certificate authority service fails to stop, auto enrollment failure or error/issue in any of the verifying migration steps. Then the back-out procedure has to be executed to restore the CA service on the source server.

a. Removing CA Role from Destination server

Log on to the destination server, and start Server Manager.

In the console tree, click Roles.

On the Roles pane click, Remove Roles

If the Before you begin page appears click Next

On the Remove Server Roles, Uncheck ACTIVE Directory Certificate Services and click Next

Click Remove on the Confirm Removal Selection and restart the server once completes

Remove Destination server from domain

Rename the Destination server

b. Adding CA Role on Source Server

Rename the source server to the initial name

Add the source server to domain

Launch Add or Remove programs and select add/remove windows components and select Certificate Service and click, Next

Select Enterprise Subordinate CA as CA Type and select “Use custom settings to generate the key pair and CA Certificate”

On the Public and Private Key Pair click Import and select the backed up file .p12 and enter the password and click next

Click Next to proceed with the CA configuration and close

c. Restoring CA DB on source server

Launch Certificate Authority snap in

Select CA node and click on Actions, All Task and Restore CA

On the Items to Restore select Private key and CA Certificate and Certificate Database and Certificate Database Log

Browse the CA DB Location and Click Next

Enter the password set while backing up the CA

d. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

Hope this article was informative and helpful to you . This is based on test with real time scenario.

Below are the links of other part of the article

Part 1 – Preparing Source CA and Target server
Part 2 – Restoring the Source from backups and Verifying the migration

Please comment if you like this article 🙂

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 2

March 23, 2013Krishna - MVPWindows 2003, Windows 2008, Windows 2008 R2Leave a comment

Here is the next part of the article with the step by step Instruction for Subroutine CA Migration from Windows Server 2003 to Windows Server 2008 R2. In this 2nd part we talk about restoring the source CA from backups on the new Windows Server 2008 R2 and Verifying the migration

1. Restore Source CA Server from backup

a. Restore CA DB

Log on to the destination server by using an account that is a CA administrator.

Start the Certification Authority snap-in.

Right-click the node with the CA name, point to All Tasks, and then click Restore CA.

On the Welcome page, click Next.

On the Items to Restore page, select Certificate database and certificate database log.

Click Browse. Navigate to the parent folder that holds the Database folder (the folder that contains the CA database files created during the CA database backup).

Click Next and then click Finish.

b. Restore CA Registry

Create a backup of the current Registry setting

Open the exported registry file from source servers in notepad and verify the registry values

Open a Command Prompt window.

Type reg import <Registry Settings Backup.reg> and press ENTER.

Type net start certsvc and press ENTER.

c. Restore Certificate template list

Open a command prompt window.

Type certutil -setcatemplates +<templatelist1>,<templatelist2>.. and press ENTER.

2. Verifying migration

a. Verify ACL’s on the AIA and CDP Containers

Logging to DC and open Active Directory Sites in Services

On the Console click on Top Node

Click View and Show Services node you will find Services folder on the Left and expand to reach Public key Services

Expand Public Key Services

Click AIA folder and in the details pane, select the name of the source CA.

On the Action menu, click Properties.

Click the Security tab, and then click Add.

Click Object Types, click Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and click OK.

If Account unknown with security identifier exist then select it and remove the object.

In the left pane, select CDP and the host name of the source CA.

In the details pane, select the first CRL object.

On the Action menu, click Properties, and then click the Security tab.

In the list of permitted group or user names, select the name of the source CA, click Remove, and then click Add.

Click Object Types, select Computers, and then click OK.

Type the host name of the target CA, and click OK.

In the Allow column, select Full Control, and then click OK.

If Account unknown with security identifier exist then select it and remove the object.

b. Verify Registry

Verify that CAServerName is a registry string value located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CAName\ registry key. It should be updated to represent the DNS or the host of the new CA host.

Verify that CACertPublicationURLs and CRLPublicationURLs are both registry multi-string values located under the same key as CAServerName.

c. Verify Auto Enrollment

Log on to a domain member computer by using an account that has Autoenroll, Enroll, and Read permissions for the certificate templates that are assigned to the destination CA.

Click Start, and then click Run.

Type certmgr.msc, and then click OK to open the Certificates snap-in.

In the console tree, right-click Certificates – Current User, click All Tasks, and then click Automatically Enroll and Retrieve Certificates to start the Certificate Enrollment wizard.

On the Before You Begin page, click Next.

On the Request Certificates page, a list of one or more certificate templates should be displayed. Select the check box next to each certificate template that you want to request, and then click Enroll.

Click Finish to complete the enrollment process.

In the console tree, double-click Personal, and then click Certificates to display a list of installed user certificates and to verify that the certificate that you requested is displayed.

Hope you liked this article and got some good understanding of migration process of CA server windows server 2003 to windows server 2008. Please continue with the last part with the backup process. You should know this part to revert back if necessary.

Below are the links for the other parts

Part 1 – Preparing source and target CA server for migration.

Part 3 – Blackout procedure.

Step by step Instructions for Subordinate CA Migration from Windows Server 2003 to Windows Server 2008 R2 – Part 1

March 23, 2013Krishna - MVPExchange 2007, Windows 2008, Windows 2008 R21 Comment

Below are the step by step comprehensive Instructions for subroutine CA migration from Windows Server 2003 to Windows Server 2008 R2.
This article is published in three parts and in this part we will discuss more in details on about preparing of source and destination server for the migration

1. Preparing Source Server

Map network share in source server to copy backup files

Perform/Verify System state backup of Source CA

a. Verify and backup CA Template set

Open Command prompt

Type certutil.exe – catemplates > catemplates.txt

Verify the contents of catemplates.txt with the templates displayed in Certificate Authority snap-in

b. Verify and backup CA’s CSP and signature algorithm

Open Command prompt

Type certutil.exe –getreg ca\csp\* > csp.txt

Verify that the csp.txt contains CSP detaill

c. Publish CRL with extended validity period

Open Certificate Authority snap in

In the console tree right click “Revoked Certificates” and click Properties

Record the current CRL Publishing Parameters

Set the CRL Delta publishing interval to 2 days

Click on “Revoked Certificates” -> all task -> publish -> Delta CRL only

d. Backup CA DB and Private Key

Map shared network drive to take the backup

on Certificate authority snap-in right click point to All task and backup CA

On the Welcome page of the CA Backup wizard, click Next.

On the Items to Back Up page, select the Private key and CA certificate and Certificate database and certificate database log check boxes, specify the backup location, and then click Next.

On the Select a Password page, type a password to protect the CA private key, and click Next.

On the Completing the Backup Wizard page, click Finish.

After the backup completes, verify the following files in the location you specified CAName.p12 containing the CA certificate and private key Database folder containing files certbkxp.dat, edb#####.log, and CAName.edb

Open command prompt and type Net stop Certsvc to stop Certificate Service

e. Backup CA Registry

Click Start, point to Run, and type regedit to open the Registry Editor.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc, right-click Configuration, and then click Export.

Specify a location and file name, and then click Save. This creates a registry file containing CA configuration data from the source CA.

f. Remove source server

Launch Add or remove program

Click Add/Remove windows components and uncheck Certificate Services

Click next and finish

Remove source server from domain

Delete AD computer object

Rename source server to some temp name

2. Preparing Destination Server

Change destination server name to the initial source server name

Add destination server to domain

Map network share used in taking the backup on source server

a. Import the CA certificate

Start the Certificates snap-in for the local computer account.

In the console tree, double-click Certificates (Local Computer), and click Personal.

On the Action menu, click All Tasks, and then click Import to open the Certificate Import Wizard. Click Next.

Locate the <CAName>.p12 file created by the CA certificate and private key backup on the source CA, and click Open.

Type the password, and click OK.

Click Place all certificates in the following store.

Verify Personal is displayed in Certificate store. If it is not, click Browse, click Personal, and click OK.

b. Add CA and IIS roles on destination server

Log on to the destination server, and start Server Manager.

In the console tree, click Roles.

On the Action menu, click Add Roles.

If the Before you Begin page appears, click Next.

On the Select Server Roles page, select the Active Directory Certificate Services and Web Server (IIS) check box, and click Next.

On the Introduction to AD CS page, click Next.

On the Role Services page, click the Certification Authority check box, and Certification Authority Web Enrollment and click Next.

On the Specify Setup Type page, specify either Enterprise and click Next.

On the Specify CA Type page, select Subordinate CA, and click Next.

On the Set Up Private Key page, select Use existing private key and Select a certificate and use its associated private key.

In the Certificates list, click the imported CA certificate, and then click Next.

On the Configure Certificate Database page, specify the locations for the CA database and log files.

On the Confirm Installation Selections page, review the messages, and then click Install.

Hope you liked this article, please continue with the next part where we will discuss in details of the below

Part 2 – Restoring the Source from backups and Verifying the migration
Part 3 – Back Out procedure

Exchange tools for Every Exchange Engineers

January 10, 2013Krishna - MVPExchange 2003, Exchange 2007, Exchange 2010, Exchange 20131 Comment

I found a nice link which has all the necessary tool for exchange available. I am sure i will be using this in the futur

http://messagingschool.wordpress.com/2011/04/27/tools-for-exchange-server-200320072010/

Regards,

Krishna