TechOnTip Weblog

Run book for Technocrats

Archive for June, 2011

Virtual Machine Template Build & Customization

Posted by Brajesh Panda on June 29, 2011

My notes to create a VM Template & deployment method in virtual environment!

Anything else I should do – buzz me!

  1. Gold Template Configuration  – Windows 2008 R2 STD
  • Removed virtual floppy drive & other virtual parallel devices from virtual machine configuration
  • Disabled IPv6 & other ISATAP tunnel adapters completely using registry key
  • Disabled User Access Control
  • Disabled IE Enhanced Security
  • Disabled Windows Firewall for all profiles
  • Configured Windows Update to “Download updates but let me choose whether to install them” option
  • Enabled Remote Desktop using “Allow Connection from Computers running any version of Remote Desktop” option
  • Configured Time Zone to EST
  • Disabled Server Manager Auto start at logon
  • Disabled Initial Server Configuration Window Auto Start at Logon
  • Configured Task Bar as Locked
  • Configured Best Performance Option at Computer properties – >advance –> performance tab
  • Configured IE’s Default page to Blank Page
  • Cleared C:\Users\Administrator\AppData\Local\Temp folder.
  • Defragged the C drive
  • Installed VMware Tools
  • Install McAfee Base Antivirus Software. (If we plan to deploy forefront to servers right now, we can do that too)
  • Installed SP1 & latest hotfixes
  1. Run Once script – For After deployment configurations like follows;  
  • Disables Windows Firewall for Domain Profile after domain join
  • Uncheck below check marks from Network Applet’s Local Area Connection
    • QoS Packet Scheduler
    • Internet Protocol Version 6 (TCP/IPv6)
    • Link-Layer Topology Discovery Mapper I/O Driver”
    • Link-Layer Topology Discovery Responder
  • Install McAfee EPO Agents
  • Start Auto Windows Update from Command Prompt & Ask to whether to install or not! Hence even if the template is old, you will not forget to update the windows 😉
  1. vSphere Specification Manager
  • Asks NETBIOS name for the Virtual Machine & rename the Virtual Machine
  • Asks only IP Address for the Virtual Machine
  • Configures DNS, Gateway etc automatically
  • Generate New SID  for the virtual machine
  • Joins to Domain Automatically – For this job we need to create a permanent service account

Posted in MsHyper-V, VMware | Leave a Comment »

RunOnce – Windows Registry

Posted by Brajesh Panda on June 28, 2011

Windows 208 R2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Create a String Value & mention the complete path to the application/command batch file. I usually put everything in sequence to a Batch file & give path. However you can create Key for each application. I too read you can define dependency parameter. Like if you want to load something at the time of application execution etc.

Posted in Uncategorized | Tagged: | Leave a Comment »

Windows 8 Partner Demo

Posted by Brajesh Panda on June 6, 2011

Posted in Windows 8 | Tagged: | Leave a Comment »

How to configure/import SAN certificate in IIS 7.x?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 5

How to configure/import SAN certificate in IIS 7.x?

  • Apart from SSL certificate (SAN) you may have to install another intermediate/chain certificate from your certificate authority to get your certificate work properly. Check with your provider.
  • You can import SSL cert using your Windows Certificate MMC or IIS – SSL Security settings.

Using Windows Certificate MMC:

  • Open Certificate MMC snap in for your computer
    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Import Certificate –Select the SSL certificate & import – Click yes on Thumbprint validation window

Using IIS Manager:

  • Open IIS Manager – Select Server in the left hand side & open “Server Certificates” from the mid working pane

  • Click on Import & Select certificate PFX file, type import password if you have kept at the time of certificate creation. If you want to export this certificate for further use in any of the server make sure you select “Allow this certificate to be exported”.

Bind SAN SSL Certificate to multiple web sites

  • After you have imported the SAN certificate to IIS you can bind the certificate to different websites in the same IIS 7.x server
  • To bind SAN SSL cert to multiple websites you have to configure different host headers for the websites. Make sure you keep host headers exactly to SAN URLs or SSL Subject Alternative Names; else you will get SSL error regarding the same.
  • Select the website, click on bindings. It will open up Site Bindings window

  • Click Add to create a new binding with host header, IP address & Port.
  • From Type select HTTPS, from IP Address menu select the IP Address & in Port input box type 443.
  • If you have only IP Address available then you may be selecting same IP address for all websites. In that case we have to type a UNIQUE host header as I told you earlier. But now this field may be grayed out.

  • Let’s select the imported SSL Cert (SAN) from SSL Certificate drop down menu. You may observe still the host header filed is not editable — phew! So you can’t type the unique hostheader name here.
  • IIS Provides a command line tool (appcmd) to do that. Well there is another IIS 7.x undocumented hack you can use for this purpose.

APPCMD for SSL Binding

  • You have to run below command after editing Website Name & Hostheader Value for each websites

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

Undocumented IIS Hack for SSL Binding

  • From Certificate MMC, right click the SSL certificate name & add a asterisk (*) in front of the friendly name of the certificate. Now when you select the certificate you will able type the host header in the IIS Manager itself. Thanks to my friend Jason Heisley for telling me this little hack. Here is another blog article regarding this hack.

Posted in IIS | Tagged: , | 6 Comments »

How to generate SAN certificate from internal Windows 2003 certificate authority?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 4

 

 

 

How to generate SAN certificate from internal Windows 2003 certificate authority?

  • I expect you have already created a SAN Certificate Signing request following other blog post.
  • If you have enabled WEB Enrollment wizard in your certificate server, open up certificate services using http://<certificate server name>/certsrv URL
  • On welcome screen click on Request a certificate

  • On Advanced Certificate Request screen click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file or submit a renewal request by using a base-64-encoded PKCS#7 file

  • Open the SAN certificate request file with notepad, copy all contents & paste in the Saved Request window & select Web Server as certificate Template. And click Submit.

  • Download Base 64 encoded certificate for installation in the web server

Posted in IIS | Tagged: | 2 Comments »

How to make sure internal certificate authority is supporting SAN certificate feature?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 3

How to make sure internal certificate authority is supporting SAN certificate feature?

Certificate servers come with Policy Modules
to provide different services. There are different types of extensions attached to the policy modules can be turned on so clients can submit their requests for those features.

CertificateAuthority_MicrosoftDefault.Policy is the default policy module in a Windows 2003 Certificate server.

Certutil –getreg commad shows different configuration parameters for default policy module

Certutil -getreg policy\EditFlags shows which extensions are turned for the default policy module.

SAN certificate extension can be turned on using below syntax

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

SAN certificate extension can be turned off using below syntax

(I didn’t try this one – Just researched from Google – May be sometime later I will try this.)

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

Here are some registry screenshots before & after turned on. I am not sure if it can be turned on by just changing below registry key. May be sometime later I will try this

After Turned ON

In Windows 2008 CA use below command to enable SAN extensions!

certutil –setreg policy\SubjectAltName enabled
certutil –setreg policy\SubjectAltName2 enabled
net stop certsvc
net start certsvc

Posted in IIS | Tagged: | 4 Comments »

How to create a SAN certificate signing request for IIS web server?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 2

  • How to configure multiple websites to access using host headers?
  • How to create a certificate signing request for our IIS web server?
  • How to make sure internal certificate authority is supporting SAN certificate feature?
  • How to generate SAN certificate from internal Windows 2003 certificate authority?
  • How to configure/import SAN certificate in IIS 7.x?

How to create a SAN certificate signing request for IIS web server?

  • Open Certificate MMC snap in for your computer
    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Advanced Operations – Create Custom request

  • Click next in Certificate Enrollment Wizard’s welcome window
  • Select “Proceed without enrollment policy” under Custom Request & click next
  • In Custom Request window Select (No template) Legacy key & PKCS #10 as request format
  • And Click Next

  • In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.

  • Under Private Key, select key size. Over here I just left it as default. You may like to select 4096 for production servers.
  • Under Key Type select “Exchange

  • Under Extension tab select Extended Key Usage; add Server Authentication from the available options.

  • Under Subject Tab we will be defining our multiple DNS names for the certificate
  • From Drop down Subnet Name section select Common Name & type the value. Preferably the primary domain name & then click Add.
  • Under Alternative Name select DNS type all alternate DNS Names & add them.

  • Under General Tab type a friendly name.
  • Better to keep add a * in front of the friendly name now. It will help you to bind the certificate from IIS graphical user interface to all websites using same IP & port 443. If you don’t do this now, no worries, you can do it later or you can use Commadline tool to bind this cert. I have discussed the same in certificate installation/import post.
  • Click okay & In certificate information window click next

  • Give a file path to save this certificate request 7 select Base 64 as file format

  • It will generate “.req” file, you can open this file using notepad.
  • You use this file to generate your SAN certificate from external public certificate authority or from your internal certificate authority server.

Posted in IIS | Tagged: | 39 Comments »

How to configure multiple IIS websites to access using host headers?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 1

  • How to configure multiple IIS websites to access using host headers?
  • How to create a certificate signing request for our IIS web server?
  • How to make sure internal certificate authority is supporting SAN certificate feature?
  • How to generate SAN certificate from internal Windows 2003 certificate authority?
  • How to configure/import SAN certificate in IIS 7.x?

I have a Windows 2008 R2 IIS web server; where I am going to create couple of websites for my lab 😉

How to configure multiple IIS websites to access using host headers?

  • For the same select the website, on hand side click on bindings
  • Select the default site binding http & click edit
  • From Drop Down menu select correct IP Address & for Port type 80
  • And in host header field type the complete host header
  • Click Okay, Close
  • Do the same thing for other websites; Only host header will be different

To test these custom websites you can create two Host entries in your workstation from where you can access these websites & try accessing them.

You should able to access them. If you can’t access check your firewall & other connectivity configurations. So now we are able to set up multiple websites using one IP & same HTTP port.




Posted in IIS | Tagged: | 11 Comments »

EMC Record Breaking Intro Video

Posted by Brajesh Panda on June 1, 2011

EMC Record Breaking Intro Video: http://www.emc.com/microsites/record-breaking-event/index.htm

Thanks,

Brajesh Panda

Posted in EMC VNX, Storage | Leave a Comment »

 
%d bloggers like this: