Deploying Exchange Server 2007 and Office Communications Server 2007 R2 (Part 4)

Installing Active Directory Certificate Services

Although it is essentially not a requirement, AD CS (Active Directory Certificate Services) helps the certifi

cate management for internal servers. AD CS is the base foundation for PKI (Public Key Infrastructure) which in a production environment must be planned, protected and designed properly. In this article series we are going to install an Enterprise root Certification Authority and this type of CA uses Active Directory to manage certificates. Any machine joined to our domain will recognize the certs issued by our CA. These steps can be followed to deploy AD CS in a Windows Server 2008:

  1. Open Server Manager.

  2. Click on Roles.

  3. Click on Add Roles.

  4. On the Before You Begin page, click Next.

  5. On the Select Server Roles page. Select Active Directory Certificate Services from the list and click Next(Figure 01).


Figure 1

  1. On the Introduction to Active Directory Certificates Services page. Click Next.

  2. On the Select Role Services page. Select Certification Authority and Certification Authority Web Enrollment (Figure 02). You are going to receive a prompt asking about required features, as shown in Figure 03, click on Add Required Role Features and then click Next.


Figure 2


Figure 3

  1. On the Specify Setup Type page. Select Enterprise option and click Next.

  2. On the Specify CA Type page. Select Root CA item and click Next.

  3. On the Set up Private Key page. Select Create a new private key item and click Next.

  4. On the Configure Cryptography for CA page. Leave the default settings and click Next.

  5. On the Configure CA Name page. Time to specify a name for our Certification Authority and this name will be displayed when we try to create an online certificate request during OCS Deployment. The default value is <NetBIOS-name-of-the-domain>-<Server-Name>-CA. Click Next.

  6. On the Set Validity Period page. We can specify for how long the certificate issued to this CA will be valid. Bear in mind that the CA only issues certificates if its own certificate is valid. The default value is 5 years. Click Next.

  7. On the Configure Certificate Database page. We can define where the CA database and log location will be created, just click Next.

  8. On the Web Server (IIS) page. This section was added because we select the Web Enrollment during the CA installation. Click Next.

  9. On the Select Role Services page. Leave all default selections and click Next.

  10. On the Confirm Installation Selections page. A summary of all settings that we selected so far will be displayed click on Install to start the installation process (Figure 04).


Figure 4

  1. On the Installation Results page. We can see the result of the installation process of both roles (Certificate Services and IIS), as shown in Figure 05. At this point we can open http://<Server-Name>/CertSrv and you will be able to see the Microsoft Active Directory Certificate Services page.


Figure 5

Windows Firewall

In our scenario, we are going to take advantage of Windows Firewall which will be on at all times, as shown in Figure 06. It’s really important to keep it on during the Exchange Server and OCS installation process because the setup process will create Firewall exceptions automatically as part of the installation.


Figure 6

DNS Configuration

Well, you should know by now that the core for Unified Communications is the Active Directory and this one relies on DNS. You should also know that Unified Communications technologies use a lot of certificates. We have plenty of different types of certificates out there and tons of different ways to deploy them on your organization. In this article we will keep it simple and we will try to minimize the number of certificates used as much as we can, we are going to use a SAN (Subject Alternative Name) certificate and we are going to configure split DNS in our internal Active Directory.

Split DNS is a simple configuration, where your external DNS name has its own zone internally. Let us say our company external name is AndersonPatricio.org and we have our zone hosted in an external DNS and that zone has a couple of host entries, such as: www, autodiscover and mail. The same company has its internal Active Directory FQDN configured as apatricio.local as well. The split-DNS configuration is really simple, we just need to create andersonpatricio.org zone on our internal DNS servers which means that any query to the domain andersonpatricio.org will be answered by the internal server instead of the external one, and for this reason we must keep track of all hosts entries in the external zone and create them in the internal zone.

First of all, although it is not rocket science, some administrators still do not like to use split DNS configuration in their environment, the key here is to make sure that every time that you update an external record you should update it in your internal DNS too, otherwise you may experience strange scenarios such as external users being able to open the company webpage but not internal ones. The same happens for new services deployed internally. If they are going to be used externally, you should update your external DNS zones. Long story short: make sure that External and Internal DNS zones are matching their records.

In this article we are going to create just the zone, the SRV and special entries required for Office Communicator automatic logon will be covered in a future article where we will cover the Office Communicator logon process of this series. In order to create the external zone, we can follow these steps:

  1. Open DNS Manager.

  2. Expand <Server-Name>.

  3. Right Forward Lookup Zones and click on New Zone…

  4. On the Welcome to the New Zone Wizard page. Click Next.

  5. On the Zone Type page. Select Primary zone and also check the option Store the zone in Active Directory and click Next (Figure 7).


Figure 7

  1. On the Active Directory Zone Replication Scope page. Select the second item To all DNS servers in this domain: <Your-domain-name> and click Next. Selecting this option any new domain controller added down the road will have the same zone information and it does not require any extra administrative effort to replicate the zone among DNS servers.

  2. On the Zone Name page. Fill this out with your external domain name, in our scenario it is going to be andersonpatricio.org, which doubles as our external domain, default SIP domain and SMTP address to all users (Figure 8).


Figure 8

  1. On the Dynamic Update page. Select Do not allow dynamic updates option and click Next. This zone will be managed by Administrators.

  2. On the Completing the New Zone Wizard page. Click on Finish.

Installing Operating Systems Features and roles to support OCS

In order to install OCS 2007 R2 some pre-requisites are required before running the OCS 2007 R2 Deployment Wizard. OCS 2007 R2 requires some Features and Roles in order to do the entire Active Directory Preparation and OCS installation from the OCS server. These are the steps required to install the Features needed for OCS 2007 R2 to run.

  1. Open Server Manager.

  2. Expand Features.

  3. Click on Add Features.

  4. Expand Remote Server Administration Tools.

  5. Expand Role Administration Tools.

  6. Expand Active Directory Domain Services Tools.

  7. Select Active Directory Domain Controller Tools.

Also IIS must be installed prior OCS 2007 R2 installation, just start a standard Add Role wizard using Server Manager and make sure that all items shown in the two figures below are selected (Figure 09 and Figure 10).


Figure 9


Figure 10

Conclusion

At the end of the fourth article of this series, we have briefly covered the architecture, planning, and now AD Services deployments to build our environment. Finally, next article we are going to enter in the UC area where we are going to start with Exchange installation and in that article I will give you some hints that can save you some time during the Exchange installation process.


nguồn msexchange.org

About Tony Nguyễn
Tôi tên Tony tự Tèo trú tại thôn Tám, Trảng Thanh tỉnh Thừa Thiên. Thưở thiếu thời trí tuệ tôi thường thường, tuy thế tính tình thật thà thẳng thắng, thích thi thơ ...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: