Archive

Archive for the ‘Windows Server 2008 R2’ Category

Public Key Infrastructure at Microsoft – 2008 R2 Edition

October 3rd, 2011 Comments off

Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at http://www.microsoft.com/download/en/details.aspx?id=27581 or here Public Key Infrastructure at Microsoft 1750_PKI_TWP

The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.

Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs

Some of the highlighted features in the document are:

Windows Server 2008:

  • Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis
  • Enhanced performance monitoring with the addition of new performance counters
  • Scalable, high-speed revocation status response services that combine CRLs and integrated Online Responder services
  • Support for Cryptography Next Generation (CNG) to enable the use of Suite B algorithms
  • Enhanced service monitoring with the introduction of the Windows Server 2008 AD CS Management Pack for Microsoft Operations Manager 2005
  • More detailed server administration with restricted certificate managers
  • Failover cluster support

Windows Server 2008 R2:

  • Cross-forest enrollment capability that allows for consolidation of existing hardware
  • Databaseless CA feature to avoid storing unnecessary certificate records
  • Best Practice Analyzer for improved configuration practices
  • Web-based certificate enrollment protocol to allow enrollment over the Internet

 

Migrera till Windows 7, Windows Server 2008 R2 och Hyper-V R2?

September 7th, 2010 Comments off

Det går att implementera och migrera till Windows 7, Windows Server 2008 R2 och Hyper-V R2 på massor av olika sätt, några direkt skadliga, andra helt ok med diverse för- och nackdelar och självklart vissa riktigt bra och genomtänkta.
 
Utmaningar som att samexistera med XP under en period, uppgradera roller som
AD, DNS, DHCP, Clustering, att ändra kommunikationsprotokoll och införa
nya funktioner som Direct Access m.m. kräver en hel del av oss som jobbar med IT.
 
På Summiten får du den osminkade sanningen och tipsen som du  inte finner
i manualerna om hur du inför den senaste tekniken på bästa sätt i din IT-miljö.
 
Mer information och agenda finns på http://infrastructuresummit.se/

Vi ses den 7:e oktober

/Hasain

ADCS components that can be configured on different editions of Windows Server 2008 R2

June 17th, 2009 Comments off

The following table lists the AD CS components that can be configured on different editions of Windows Server 2008 R2.

Components

Web

Standard

Enterprise

Datacenter

CA

No

Yes

Yes

Yes

Network Device Enrollment

No

No

Yes

Yes

Online Responder

No

No

Yes

Yes

CA Web Enrollment

No

Yes

Yes

Yes

Certificate Enrollment WS

No

Yes

Yes

Yes

Certificate Enrollment Policy WS

No

Yes

Yes

Yes

The following features are available on servers running Windows Server 2008 R2 that have been configured as CAs.

AD CS features

Web

Standard

Enterprise

Datacenter

Customizable version 2 and 3 templates

No

Yes

Yes

Yes

Key archival

No

Yes

Yes

Yes

Role separation

No

No

Yes

Yes

Certificate manager restrictions

No

No

Yes

Yes

Delegated enrollment agent restrictions

No

No

Yes

Yes

Certificate enrollment across forests

No

No

Yes

Yes

Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2

January 21st, 2009 Comments off
What if you could add add group membership to a user's access token when the user is authenticated using a certificate-based logon method and making the policies included in the certificate to decide what groups should be added.

This is now possible using the Authentication mechanism assurance feature in Active Directory Domain Services (AD DS) in Windows Server 2008 R2. When enabling this feature a user's access to resources on the network when authenticated using certificate based logon can be treated as different from what that access would be when the user types a user name and password as the user's group membership is changed reflecting the authentication method used

This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.

The best part of this feature is that any client or server operating system that is able to interpret Windows access tokens can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.

 /Hasain