If you are reading this, then you have been wondering where the show has gone and if it will return.  Our hiatus was fueled by many distractions, but it has led me to the point I had hoped to avoid; the show is done.  I finally had the chance to speak with Steve and let him know that I am bowing out of the show altogether.  Steve is battling his own constraints, but may decide to do something with the show.  Keep an eye out for a post from him letting you know if there are any plans.

We truly apologize for disappearing (again) without an explanation.  Between our jobs and families, we can’t seem to find a way to schedule a regular recording time.  I couldn’t find the time to put together content for the show; which led to aggravation for me as I wanted to bring something of substance to the show. The reason I/we didn’t post anything was that we kept hoping to delay the inevitable and find a way to get past this.  We’ve delayed long enough and it’s time to call it done.

I am hoping to schedule a “Final Episode” with Steve and Rich and will post a recording time should anyone want to join us.

Lastly, I want to thank all of the listeners we’ve had over the years.  You have all been very supportive and encouraging.  Knowing that someone was listening and enjoyed the show makes it all worth the effort.  I will truly miss the interaction and fun we’ve had along the way together.

Thank you again.

Keith

Stay tuned, because I know Keith is eager to talk Namespaces!

In my time judging for the Games, I’ve written a few blog posts about some of the common issues I’ve found in the entries.  You can see all my Scripting Games related posts here.

(Yes.. I know I should have a monitoring box on a span port that I could do this off of, but it becomes a bit more complicated in a virtual environment.)

So, I’ve compromised a bit.  I’ve been using the WinPcap drivers and WinDump from the command line to create the network captures.  Then I can use WireShark on my desktop to analyze the traffic.

The command line I used for WinDump was something like:

C:\WinDump.exe -n -s 0 -vvv -w mynetworkcapture.pcap

The “–n” skips the DNS resolution (which makes it a bit more consistent to read through).The “–s 0” captures the full packet.  “-vvv” captures additional packet details.  And last, but not least, “-w mynetworkcapture.pcap” is the file name (and relative path) to where the capture could be saved.

There are many, many other options, but this got me a quick grab of traffic that let me isolate my problem in WireShark and get to the resolution I needed.

Topics/Links:

• System Center Betas
• Problems with SP1
• Verizon T1 outage

Read the full show notes here.

Website Picks

Sorry, none this week.

Download Here

Show Length:1:13:33

Topics/Links:

• Interview with Ed Wilson: The Microsoft Scripting Guy
  • Hey, Scripting Guy! Blog
  • Follow him on Twitter @ScriptingGuys
  • 2011 Scripting Games
• Upcoming Changes to Microsoft Core CAL’s
• Making movies with YouTubeDownloader and CamStudio
• Windows 7 & 2008 R2 Service Pack 1 Trials and Tribulations
• osTicket - Web-based help desk ticket management

Read the full show notes here.

Website Picks

Sorry, none this week.

Download Here

Show Length:1:16:25

Topics/Links:

• Interview with Tom Limoncelli, one of the authors of TPOSANA and presenter at the PICC Conference. 
  • Grab the book here: The Practice of System and Network Administration (2nd Ed.)
  • Check out his site at Everything Sysadmin
• Steve is presenting on DirectAccess
• DirectAccess & Office Communicator configuration woes
• Limiting your user account abilities

Read the full show notes here.

Website Picks

Sorry, none this week.

Download Here

It appears that the Configuration Manager team decided to step back in their support of current database servers.  Starting with Configuration Manager 2007 R2, the following were supported:

• SQL Server 2005 with SP2 or SP3
• SQL Server 2008, SP1, or SP2
• SQL Server 2008 R2

According to the beta System Requirements documentation (remember this is beta, which in Microsoft parlance means bug fixes, not a lot of changes, etc..)

Configuration Manager requires 64-bit SQL Server 2008 Standard Edition or SQL Server 2008 Enterprise Edition, running Service Pack 1 with at least Cumulative Update 10 . Other versions of SQL Server, such as SQL Server 2008 with Service Pack 2 or SQL Server 2008 R2, are not supported.

If you are looking for something that is not so picky, but get’s you a good bit of the functionality, I’ve started to look at Admin Arsenal.  I’ve just downloaded one of their products and I’ll get a chance to look deeper later, but it seems to be a bit lower friction.

On a side note.. the guys at Admin Arsenal are supporting this year’s PICC event.

Some of our internal certificates for OCS were coming due for replacement.  I did a simple web search for “Find all certificates for Office Communication Server 2007 R2” and I got very little help..

And of course, OCS does not support wildcard certs (but does take wildcards in Subject Alternative Names (SAN).. go figure..)

So for those who just want a reference of what certs are used where.. (Subject Name (SN) and Common Name (CN) are used somewhat interchangeably.. Common Name is the most import item to OCS)

Outcome (it’s not pretty folks…):

I give you (working from the outside in):

1. Edge Server

   1. Description:

      1. The first cert needed is a Web Conferencing Edge Server. 
      2. SAN Required - No.
      3. These are public facing certs, so you’ll likely want to get these from a cert provider.
      4. Even if you are issuing them yoursefl, you’ll notice that these cert requests are generated offline, as the edge server is usually in a restricted portion of the DMZ without direct access to your internal CA.

   2. Example:

      1. SN: webconf.mindofroot.com

   3. Command:

      1. To create the cert request: LcsCmd /cert /action:request /friendlyname:”Web Conference Edge” /sn:webconf.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\webedge.req” /L
      2. To import the response: LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:DP /L

   4. Description:

      1. The second cert required is for Audio/Video Authentication Edge Server.
      2. SAN Required – No.
      3. This is used for internal communication to the rest of the OCS infrastructure.
      4. If you are using an internal cert, you will have to install the certs on the cert chain as well to make them trusted on this server.

   5. Example:

      1. SN: av.mindofroot.com

   6. Command:

      1. LcsCmd /cert /action:request /friendlyname:”AV Edge” /sn:av.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\avedge.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:MR /L

   7. Description:

      1. The third cert is required for the Internal Edge. 
      2. SAN Required – No.
      3. This is for encrypting and decrypting traffic between external clients and the “next hop” server (usually the director or pool).
      4. This can be an internally issued cert.

   8. Example:

      1. SN: internaledge.internal.mindofroot.com

   9. Command:

      1. LcsCmd /cert /action:request /friendlyname:”Internal Edge” /sn:internaledge.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\internaledge.req” /L

      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /Components:INTERNAL /L

   10. Description:

       1. The fourth cert required covers the Access Edge.
       2. SAN Required: Possible, if there are additional domains covered for external access.
       3. This is for the default SIP.yourdomain.com address.

   11. Example:

       1. SN: sip.mindofroot.com
       2. SAN: sip.acoupleofadmins.com

   12. Command:

       1. LcsCmd /cert /action:request /friendlyname:”Access Edge” /sn:sip.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:sip.mindofroot.com, sip.acoupleofadmins.com /fileName:”C:\CertHold\accessedge.req” /L
       2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\accessedge.cer” /assign /Components:AP /L

2. Reverse Proxy

   1. Description:

      1. The Reverse Proxy provides a way for external users to access content, expand address lists, and otherwise do things require more access.
      2. SAN Required – Maybe.

   2. Example:

      1. SN: ocsweb.mindofroot.com

   3. Command:

      1. LcsCmd /cert /action:request /friendlyname:”Web Proxy External” /sn:ocsweb.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\webproxyext.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /L

3. CWA Server

   1. Description:

      1. The CWA certificate supports IM, PSTN call in, desktop sharing, etc..
      2. SAN Required – Yes.
      3. Note – The DNS name cwa.yourdomain.com might be behind a reverse proxy.. in that case, you might need two certs (an internal and a public cert).

   2. Example:

      1. SN: cwa.mindofroot.com
      2. SAN: im.mindofroot.com, cwa.acoupleofadmins.com, im.acoupleofadmins.com

   3. Command:

      1. LcsCmd /cert /action:request /online:false /friendlyname:”CWA” /sn:cwa.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san: im.mindofroot.com, cwa.acoupleofadmins.com, im.acoupleofadmins.com /fileName:”C:\CertHold\CWAext.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CWAResponse.cer” /assign:true /L

4. Director

   1. Description:

      1. SN set to the FQDN of the director.
      2. SAN Required – Yes, set to the SIP DNS for each domain. 

   2. Example:

      1. SN: director.internal.mindofroot.com
      2. SAN: sip.mindofroot.com

   3. Command:

      1. LcsCmd /Cert /Action:request /online:true /assign:true /ca:MOR-CA.internal.mindofroot.com\MOR-CA /caAccount:MOR\Admin /caPassword:P@ssword1 /friendlyname:”MOR-Director SIP”/sn:director.internal.mindofroot.com /OU: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:*.mindofroot.com /L

5. Mediation Server

   1. Description:

      1. The Mediation Server coordinates enterprise voice traffic
      2. SAN Required – No.

   2. Example:

      1. SN: mediation.mindofroot.com

   3. Command:

      1. LcsCmd /cert /action:request /online:true /friendlyname:Mediation Server /sn:mediation.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /fileName:”C:\CertHold\mediation.req” /L
      2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /L

6. Front End Server

1. Description:

1. SN set to the FQDN of the enterprise pool name or server. 

2. SAN Required – Yes, set to any alternative DNS names for the pool and server. 

2. Example:

   1. SN: pool1.intranet.mindofroot.com
   2. SAN: pool1.mindofroot.com, sip.mindofroot.com, myfrontendserver.intranet.mindofroot.com

3. Command:

   1. LcsCmd /Cert /Action:request /online:true /assign:true /ca:MOR-CA.internal.mindofroot.com\MOR-CA /caAccount:MOR\Admin /caPassword:P@ssword1 /friendlyname:“MOR-FE Front End SIP” /sn:pool01.internal.mindofroot.com /OU: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:*.mindofroot.com, myfrontendserver.intranet.mindofroot.com /L

7. Group Chat

1. Description:

1. The Group Chat cert should reference the DNS for the Group Chat server.
2. SAN required – Maybe, if you have multiple DNS entries for group chat.

2. Example:

1. SN: groupchat.mindofroot.com
2. SAN: groupchat.acoupleofadmins.com

3. Command:

1. LcsCmd /cert /action:request /online:true /friendlyname:”Group Chat Server” /sn:groupchat.mindofroot.com /ou: IT /org:MOR /city:SomeWhere /state:Else /country:US /san:groupchat.mindofroot.com.com, groupchat.acoupleofadmins.com /enableClientEKU:TRUE /fileName:”C:\CertHold\groupchat.req” /L
2. LcsCmd /cert /action:ImportResponse /fileName:”C:\CertHold\CAResponse.cer” /assign:true /L

All that talk of licensing reminded me of a tool I’ve used to manage and license machines in my network – the Volume Activation Management Tool (VAMT) version 2.0.  Version 2.0 has some updated features, including managing Office 2010 licensing in addition to Server 2008 R2 and Windows 7.  There is a version 1.1 of the tool that will manage licensing for Vista, Server 2008, Win 7, and Server 2008 R2.