Pages

Wednesday, January 30, 2013

Issuing a certificate to configure PEAP for a Cisco 4400 Series Wireless LAN Controller with Windows Server 2012 NPS (Network Policy Server)

I was recently asked by a colleague to assist with moving a Windows Server 2008 R2 NPS server providing RADIUS services for a Cisco 4400 series Wireless LAN Controller to a newer redundant design.  The redundancy was provided by 2 Windows Server 2012 NPS servers configured in 2 different sites that the Wireless LAN Controller would attempt to authenticate one after another in order and finally fall back to local authentication if both NPS servers did not response.  The document I was provided was the following:

PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

One of the first items I noticed from this document and logging onto the existing Windows Server 2008 R2 server was that it was a Domain Controller with the Active Directory Certificate Services role installed onto it:

image

I was never a strong supporter of collocating CA services on a domain controller because of the following:

  • You need to remove the CA services if you wanted to demote the Domain Controller.
  • Not a requirement for Windows Server 2008 but back in the Windows 2003 Server days, the server you migrate the CA services to need to be the same name as the original so if your original CA server was DC01, the new one would also have to be DC01.

With the reasons why I do not support strictly following the Cisco guide and issuing a Domain Controller template certificate to use with PEAP, the following will demonstrate how to use a CA located on a different server for wireless authentication.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Most administrators would know that you can continue to configure a NPS policy with Microsoft: Protected EAP (PEAP):

clip_image001

… without a certificate but if you attempt to click on the Edit button, you will be presented with the following:

A certificate could not be found that can be used with this Extensible Authentication Protocol.

clip_image001[4]

If this was a domain controller, one of the solutions is to directly install CA on this NPS server and issue a Domain Controller template certificate for authentication as shown in the Cisco document. An alternative solution to this if you don’t want to install CA services on this server is to log onto an existing CA server, open the Certificate Authority MMC in the Administrator Tools, and navigate to the Certificate Templates:

image

Right click on the Certificate Templates folder and click on the Manage button:

image

The template we’re interested in is the RAS and IAS Server template:

image

Proceed with right clicking on the certificate template and click on Duplicate Template:

clip_image001[6]

Whether you select Windows Server 2003 Enterprise or Windows Server 2008 Enterprise doesn’t matter unless you’re using an older CA (i.e. don’t select 2008 if you’re using this on a 2003 CA server) but for this example, I will select the latter:

clip_image001[8]

The properties of the new duplicated will launch:

clip_image001[10]

Name the template with a name of your choice, modify the Validity period if you prefer it to be longer than the defaults and enable settings such as Publish certificate in Active Directory if you like:

clip_image001[12]

Navigate to the Security tab and select Authenticated Users:

image

Check the Enroll checkbox and click OK:

image

With the new certificate template created, open the Certificate Authority MMC window:

image

Right click on the Certificate Templates folder, select New and click on Certificate Template to Issue:

image

Select the template that was created earlier:

image

Notice how the new template is now listed:

image

Open the Local Computer certificate store of the NPS server and navigate to the Personal folder:

clip_image001[16]

Right click on the Personal folder, select All Tasks, Request New Certificate…:

image

Click Next:

clip_image001[18]

… then Next:

clip_image001[20]

Select the new certificate template (NPS – RAS and IAS Server):

clip_image001[22]clip_image001[24]

Clicking on the Enroll button will begin the process:

clip_image001[26]clip_image001[28]

Note how a new certificate for Server Authentication and Client Authentication has been issued in the Personal store:

image

Now when you attempt to Edit the Microsoft: Protected EAP (PEAP) Authentication Method:

clip_image001[30]

… the following window will be presented for you to select the certificate:

image 

Hope this helps anyone looking for instructions on how to use a CA that is not directly installed onto the NPS server.

Tuesday, January 29, 2013

Resource Mailbox Configured to AutoAccept stops working / does not work

I was asked by a client today to look into an issue with their resource mailboxes that stopped auto accepting calendar booking requests from users a month ago.  After carefully reviewing the settings for the resource mailboxes, creating new ones to test and also moving arbitration mailboxes to other mailbox stores without any luck, I finally stopped and thought that maybe I should check the Microsoft Exchange Mailbox Assistants (MSExchangeMailboxAssistants.exe) service because the description clearly states the following: Performs background processing of mailboxes in the Exchange store.

To make a long story short, the service was indeed stopped:

image

Once the service was restarted, all of the queued up resource mailbox calendar bookings began to get processed.  I’m writing this blog post because while performing searches on the internet, none of the first 5 results I searched for pointed towards checking the service.

Moving Central Management Server from Lync Server 2010 enterprise front end pool to 2013 enterprise front end pool

One of the more important things to do prior to decommissioning your Lync Server 2010 pool after migrating over to Lync Server 2013 is to move the Central Management Server to the new pool:

image

Documentation on how to do this can be found at the following URL:

http://technet.microsoft.com/en-us/library/jj688013.aspx

image 

While it’s not too difficult to move the Central Management Server to the new pool, this post will serve to demonstrate what the process looks like. 

Prepare Enterprise Edition Front-End pool

Begin by logging onto the Lync Server 2013 enterprise front-end pool server that you would like to move the CMS, open up the Lync Server Management Shell and execute the following:

Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN <FQDN of your SQL Server> -SQLInstanceName <name of instance>

image

The SQL server hosting my Lync Server 2013 front-end server’s back-end database is svr-sql-06:

image

… and since I’m using the Default SQL instance, the cmdlet I will be executing will look like the following:

Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN svr-sql-06.ccs.int

image image

image

Once completed, confirm that the Lync Server Front-End service is Started:

image

Move CMS from Lync Server 2010 to 2013

With the new CMS installed on the destination server, proceed by publishing the topology with Enable-CsTopology:

image

 image

image

Once Enable-CsTopology has successfully executed, proceed with moving the CMS with Move-CsManagementServer:

image image

image

Once the Move-CsManagementServer completes, open up the Deployment Wizard on the new CMS server (Lync Server 2013) and click on Install or Update Lync Server System:

image

Run the Setup or Remove Lync Server Components:

image

image

image

image

image

Open up the Deployment Wizard on the old CMS server (Lync Server 2010) and click on Install or Update Lync Server System:

image

Run the Setup or Remove Lync Server Components:

image

image

image

image

image

From here, it’s important to confirm that replication with the new Central Management store is occurring so proceed by using the cmdlet:

Get-CsManagementStoreReplicationStatus

… to confirm that replication is in good health:

image

image

Remove Lync Server 2010 Central Management store files

image

With the CMS moved and replication confirmed to be in working order, proceed with removing the CMS files from the old Lync Server 2010 by using the following cmdlet:

Uninstall-CsDatabase -CentralManagementDatabase -SqlServerFqdn <FQDN of SQL Server> -SqlInstanceName <Name of source server>

The SQL server hosting my Lync Server 2010 front-end server’s back-end database is svr-sql-04:

image

… and since I’m using the Default SQL instance, the cmdlet I will be executing will look like the following:

Uninstall-CsDatabase -CentralManagementDatabase -SqlServerFqdn svr-sql-04.ccs.int

image

Once the cmdlet successfully executes, we will now have the CMS completely moved to the new Lync Server 2013 pool and removed from the old Lync Server 2010 pool.