Category: Windows 7


NOTE: This process DOES NOT WORK! I thought that maybe I could trick Lync 2010 to install on a DC, but the SQL failure got quite annoying, and I gave up. Instead, I will be installing both SQL 2008 and Lync 2010 on a Windows Server 2008 R2 member. I will get back to you on that configuration.

If you would like a walkthrough on how to install Lync Server 2010 on a Windows Server 2008 R2 member server, read this post here.

Do not attempt this install, it will not work.

I am going to install Lync Server 2010 on SBS 2008 SP2. This is a production server- I do not recommend doing this until you have planned and tested it first. I do not have a test server available, so it is going on a live server. The server also has Exchange 2007 SP2, and runs one Sharepoint site on WSS 3.0. Server traffic consists of Sharepoint Document Sharing, File and Print, Exchange Email, and Windows Internal Databases. We have no other applications running that use network or server bandwidth.

I am running a HP Proliant ML150 G5 Server, 8GB RAM, 2x mirrored 150GB HDD’s. This set up is VERY weak, and I am not sure as to the impact of the Lync Server- hopefully by the end of this post I will be able to inform you on what it is doing to my network. We have 18 workstations which will use the Lync Client, remote workers will not use it. We will also only be using Lyns for IM and Presence to start, no video, voice, or conferencing. My install will differ than yours if you are installing the Enterprise version, or have a need for A/V conferencing, phone system integration, or server pools. This will be a Single-Server install, or a stand-along server. It will host the Management Site as well.

Microsoft has a site with all of the information you need. I would suggest printing off and reading all of the planning and deployment guides, as well as watching the videos. The site is here.

Run the Lync Server Planning Tool, which can be downloaded here. It is pre-release at the moment.

I got the Lync Server 2010 and the Lync Client from my MAPS subscription. I will install and evaluate, and purchase licenses as we see fit. I personally do not need any license keys with the technology- how you get the disks and licenses is your problem. I burned two DVD’s- one with the server, and one with the client.

I will now run the Planning Tool, display the results, and go over some further documentation. After that, I will install Lync Server first, then one client to test. After that I will proceed to install the rest of the clients.

I am not vouching for this process, as it will consist of my troubleshooting problems that may arise during install. I do suggest you use this as a guide when you install, if you are in the same scenario- as it will be easier to understand that Microsoft’s technical documents.

run the installed Planning Tool. I usually participate in the Improvement Plan’s, if only because it stops alerts from being displayed in the SBS Console and BPA.

Lync Planning Tool

Lync Planning Tool

I selected to start from the beginning. I selected No for A/V conferencing.

I selected No for Web conferencing.

I selected No for Enterprise Voice.

I selected No for Archiving Server.

I de-selected both Federation check-boxes, as I do not use any External organizations, and I do not wish users to connect to public chats like Yahoo! or MSN.

I selected No for High Availability- I only have one server.

I left the selection alone for Shared WAN. We do not have remote sites as a part of our network, only our Local LAN will use this application.

Central Site

Central Site

I will name my site something appropriate- my companies name plus Lync. I suggest you do the same, and do not include any crazy characters, etc.

Fill in your user count. I only need 10 to start, and 18 to finish, so I will enter 20 to be safe.

For my internal SIP domains, I enter both my local domain name, and my remote domain name, which I use for RWW, OWA, and Exchange. they are company.local, and company.org.

I then select No for External User Access- this will only be used inside my office.

You will now see a topology of your setup. Thankfully, mine is REALLY simple.

Topology

Topology

Clicking on my site, then double clicking the icon, I see some requirements.

Requirements

Requirements

I don’t have enough RAM, or all the correct ports open for the software load balancing. I also do not have SSD’s, or enough NIC’s. Well, I have two, but one is disabled and not in use. These requirements are also planning for way more features than what I will be using. I will print this and proceed for now, and open ports or install services as they come up.

Keep in mind now that I am installing Lync Server 2010 on a stand alone production server with a low amount of RAM and not enough requirements met for install. Do this at your own risk. Back up frequently- a 2 hour restore is not to bad if you destroy your server.

Microsoft also recommends that you install Lync onto a child site of your AD Domain. I have such a small AD, that I will just stick it in there with the 40 users and other objects.

I have been reading Microsoft’s Guides, and a lot of their steps are for specific scenarios, and I get a hint that most of mine will be automatically configured- such as DNS SRV records for SIP domains. So I insert the DVD, and click on E:\Setup\amd64\Setup.exe

I get a pop-up about installing MS Visual C++ 2008, and click Yes.

Microsoft Visual C++ 2008

Microsoft Visual C++ 2008

You are then presented with the Lync Install screen. I changed the default path to D:, this is my application/data drive and has more space.

Lync Server Install

Lync Server Install

Click Install.

Check the box to accept the license, after reading it of course 🙂

License Agreement

License Agreement

The installer does it’s thing.

Core Components Install

Core Components Install

You then enter the Deployment Wizard screen.

Deployment Wizard

Deployment Wizard

This is taken from the help link under Prepare Active Directory.

To begin the installation of Microsoft Lync Server 2010, you must prepare the Active Directory Domain Services (AD DS) schema, forest, and domains that will host servers and users. The Lync Server Deployment Wizard will guide you through the steps required to prepare Active Directory Domain Service (AD DS), beginning with the schema and then into the forest preparation. After confirming that AD DS replication is successful, you then prepare each domain that will host users or servers.

Important:
To successfully prepare the schema, you must be logged in as a member of the Enterprise Admins group and the Schema Admins group. To prepare the forest, you must be logged in as a member of the Enterprise Admins group or logged in as the administrator in the forest root. For domain preparation, you must be logged in as a member of the Domain Admins group.

Now we click the button to prepare the AD. The next screen has a few options. Now, extending the schema is a huge deal. So, I decided to do a full server backup before I press any more buttons. And good thing- the last backup 6 hours ago failed for some reason. Ill look into those event logs later on. I will finish this backup, make sure it was successful, then proceed.

At this point, Windows Update popped up, with 14 new important updates to install. Booo. Ok, so I install those, and then reboot. My server is great, minus a few warnings that can “be safely ignored” according to Microsoft. Now I resume.

Click Prepare Schema, and Run, then click Next.

Prep AD Schema

Prep AD Schema

Once it completes, I clicked View Log. I then expanded the fields, and browsed the log. I noticed some errors in the log, though the action DID complete successfully.

Extend AD Schema Log

Extend AD Schema Log

I clicked finish, and then checked the deployment using the steps written here. As you can see from the screenshot, my schema was configured correctly.

ADSI Edit Schema

ADSI Edit Schema

I Then ran Prepare Current Forest, and left it set to Local Domain.

Universal Group Location

Universal Group Location

I wont post the screenshot of the log, because editing my personal information out of it would take ages, but you should take time to review it, and make sure everything was created and completed successfully.

You should verify this as well using the steps described here.

Now click Run under Prepare Current Domain, then next.

Prepare Domain

Prepare Domain

Once that completes, check that it was successful using the steps listed here.

Lync Management Shell

Lync Management Shell

Lastly, I will add my account to the CsAdministrators group, which will allow me access to the Management Console. Open ADUC, go to My Business, SBSUsers, and double-click your account, or the account you want to make admin.

Click the Member Of tab, and then click add. Type in CsAdministrators, and click ok.

CsAdministrators Membership

CsAdministrators Membership

I then Exited the Wizard, with everything complete.

I clicked Install Topology Builder, which is a pre req to deployment.

I re opened the Deployment Wizard, and clicked on Single Server Deployment, to the right.

Single Server Deployment

Single Server Deployment

The first screen gives me a message about SQL Server 2008. I have the default SQL 2005 Express installed. Not being comfortable with SQL Server Management, and having the knowledge that side by side installs of the same project can be tricky (And also that migrating my databases to a different SQL version can be hard), I decide to stop for the night. I will run a full backup, because right now everything is still working correctly. I will also contact Microsoft support chat and read my documentation to see the process for this step- I will get back to you in the morning.

Good morning. I did some research, and Lync Server will install SQL 2008 Express. I do not wish to migrate, so it will be a side by side install. In order for that to work, some workstation components of SQL 2005 Express need to be uninstalled.

Click Programs and Features in the Control Panel. Select SQL 2005 Express and click Change. Select Workstation Components. Uninstall everything that comes up when you get to the component screen. This is removing only the tools, not the database or database server.

SQL 2005 Workstation components Uninstall

SQL 2005 Workstation components Uninstall

Uninstall Success

Uninstall Success

Now I will pick up the Lync Server 2010 Setup via the Lync Server Deployment Wizard in the Start Menu.

Click on Prepare First Standard Edition Server. Click Next, and let the commands finish.

Single Standard Edition Setup

Single Standard Edition Setup

This step takes some time, over 20 minutes for me.

Install

Install

After some time, the setup completes, with a bright red item.

Setup Failure

Setup Failure

Checking the log, I see that SQL Backwards compatibility and Native Client are installed, but not SQL 2008 Express itself. What a pain. I think I will try to install SQL 2008 Manually through its GUI, then if needed, command line.

Navigate to C:\Program Data\Microsoft\Lync Server\4.x.xxxx\ and double-click on SQLEXPR_x64.exe.

That opens up the SQL 2008 setup. I then clicked Hardware and Software Requirements, and Configuration Checker.

SQL 2008

SQL 2008

In the tool, I received one warning and passed the rest. Fail.

SQL Install on DC Error

SQL Install on DC Error

After some reading, Microsoft states:

Installing SQL Server on a Domain Controller
For security reasons, Microsoft recommends that you do not install SQL Server 2008 R2 on a domain controller. SQL Server Setup will not block installation on a computer that is a domain controller, but the following limitations apply:

On Windows Server 2003, SQL Server services can run under a domain account or a local system account.

You cannot run SQL Server services on a domain controller under a local service account or a network service account.

After SQL Server is installed on a computer, you cannot change the computer from a domain member to a domain controller. You must uninstall SQL Server before you change the host computer to a domain controller.

After SQL Server is installed on a computer, you cannot change the computer from a domain controller to a domain member. You must uninstall SQL Server before you change the host computer to a domain member.

SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.

SQL Server Setup cannot create security groups or provision SQL Server service accounts on a read-only domain controller. In this scenario, Setup will fail.

So I think I can get away with it, I just can’t use local accounts. So I will ignore this error, and click New SQL Server…..

New SQL 2008 Install

New SQL 2008 Install

On the window that appears, click install to install setup support files. It comes back with a few warnings, one for Windows Firewall. I will let you battle this one out yourself, but some information can be found here.

Click Next, and it will ask for a product key- which is greyed out. I have a full version of SQL 2008 Standard, but I wan’t to leave this Express- the less management and install I have with SQL the better, IMHO.

SQL Product Key

SQL Product Key

Click Next.

Accept the license and click next.

Select all products, leave the directory alone, and click Next.

Select All

Select All

Leave it at Named Instance, in this case SQLExpress. You can change this if you want- I do not.

Instance ID I also left alone. For the root directory, I moved it to the D:\ drive and created a new folder called D:\Program Files\SQL 2008 Root Dir\

Only to save space on my C:\ drive.

Instance Configuration

Instance Configuration

Click Next, and you should get a success message.

Success

Success

Click Next.

Now I am not going to use NT\Authority for SQL Server Database Service Account. this helps with least privileged, separation of duties, plus I do not think you can do the side by side install using NT\Authority.

So create a new user in Users ADUC, and use that account and password to set up this account.

Select that user, and enter the password, then hit Next.

Select Mixed Mode, and enter a strong unique password for sa. Add the SQL administrators using the add button on the bottom. I am the only one, so I clicked Add Current User.

SA

SA

Click Next. Check both Microsoft Reporting boxes (or not, if you wish), and click next. It should complete with 8 Passes, and no errors.

Click Next. Review your settings, and click Install when ready. It will take a while to complete. While the bar progresses, cross your fingers and hope the side by side install of SQL works, and doesn’t bork your system.

Success

Success

Everything succeeded, and you get a reboot message. Now this is a production server, and it is 11 AM on Friday. I can’t reboot, and wont continue untill I do reboot. Ill be back later tonight, when no one is in the office.

After reboot, everything is up and running just fine. No errors, SQL is automatic and started fine. Now its time to resume the Lync install. Double click the Lync Server Deployment Wizard from the Start Menu again.

Click Prepare Single Edition Server. Click Next and it will resume where we left off when it failed the first time. It failed again, this time while trying to create an instance RTC in SQL 2008. So I run this command from the command line:

“C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7457.0\SQLEXPR_x64.exe” /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=RTC /TCPENABLED=1 /SQLSVCACCOUNT=”NT AUTHORITY\NetworkService” /SQLSYSADMINACCOUNTS=”Builtin\Administrators” /BROWSERSVCSTARTUPTYPE=”Automatic” /AGTSVCACCOUNT=”NT AUTHORITY\NetworkService” /SQLSVCSTARTUPTYPE=Automatic

So I check the event logs, and see that SQL Server Browser did not start, and a new instance could not be created. I go to services, and see that SQL Server Browser for SQLExpress (which is my 2008) is disabled. Enable that by right clicking the service, and selecting properties. Then change start type to automatic, and click ok.

SQL Service

SQL Service

I then realized that I did not have Management Studio Express installed, so I downloaded and installed that from here. I changed the SQL Server Agent Service log on account to the same account I set up for SQL.

Turns out that I can’t install the tools package, some sort of Digital Signature Error, which is going to be a pain. So… I wen to Add/Remove Programs, clicked on SQL 2008, clicked Change. Then added new features, blah blah blah. The information on how to do that is here, scroll to the comment at the bottom. Thanks guys.

Another reboot to continue, I am now up to three- not great fun on a production server. So I mucked around and added the SQL2008 account- the account I use to run both the Server Agent and the SQL instance- to some Administrator and SQL Admin roles, to no effect. Every time I tried to run the SQL Server Agent, I got the start stop message and an event id of  103, Service Control. I know that this is a permissions thing, so I change both of the services to Local Account, and now the services start fine- but the installation still fails.

At this point I am finally able to push the Management Console through. Instead of modifying an existing instance, which doesn’t allow you to add tools, I select new instance, then select Management Tools.

Management Tools Install

Management Tools Install

The install failed, and I am seeing messages for SQLExpress recovery, services will not start still, what the hell. I uninstall all SQL 2008 items, and start over. At this point I spend an additional 6 hours messing around with the innards of Lync and SQL 2008, only to come to the conclusion that I do not have the skill to perform this install. I uninstall everything, back to normal. I am now going to add a Windows Server 2008 R2 member to my domain, and repeat this install there. I will post that when it happens.

Checking the server for errors as is customary every morning, I open up server manager and see a few warnings and a few errors on the server roles.

ADDS Error

ADDS Error

 Lets investigate the warning on Active Directory Domain Service (ADDS) first. A quick examination of the event log leads me to event 2886.

Event 2886

Event 2886

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a cleartext (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.

Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds.

They further go on to describe the problem in these words:

The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL)LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as Negotiate, Kerberos, NTLM, or Digest.

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on a LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

If you don’t understand these security features and what SASL bind or LDAP simple binds are- then imagine it simply as clients accessing and communicating with the AD using plain english, which anyone could eavesdrop on. You certainly don’t want anyone listening to your AD.

In order to see if your clients are using these communication methods, we need to turn up the logging level for LDAP Interface Events, and then wait to see if we get any error messages. I would suggest monitoring these events for a few days before making changes- blocking these binds will cause a client using them to disconnect, and better to work on that proactively.

Open Regedit (Start>Run>Regedit) and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Registry/Diagnostics

Registry/Diagnostics

You will see that this key has listed a bunch of diagnostic features, all set to zero. You can enable the logging for each of these events by changing the number to anything up to 5. A list of what each number does can be found here.

Change the value of 16 LDAP Interface Events to 2 by double clicking it and changing 0 to 2, and hitting enter.

Now keep your eye on the Event Log for event ID 2889, which will contain the IP Address of the client connecting with these binds.

Alternately, if you disable these binds, the server will post one log event every 24 hours with ID 2888.

After a few days, or hours, or no time depending upon how patient you are, you may check the Event Log and find these entries, or not. To make things easier you could create a custom log in event viewer, and filter in only event id’s 2886, 2888, and 2889.

LDAP Event Log

LDAP Event Log

As you can see, my filter is only finding event id 2886, which is the security for the bind warning. I am not seeing any 2888 or 2889, which would mean that clients were connecting using these binds. So let’s go ahead and correct the security vulnerability less privilege is more.

To do this, we need to configure the server to REQUIRE LDAP signing. This is done by Group Policy. Microsoft recommends that you make this change in the Default Domain Policy– yet I do not touch that one. So I am going to make a new GPO and link it in the domain, then apply it to all computers. You can make the changes to the Default Domain Policy if you want.

Open up GPMC from Start>All Programs>Administrative Tools>Group Policy Management.

Right click your domain, and click Create a GPO and link it here…

New GPO

New GPO

Name it something appropriate, like LDAP Signing.

Then open the GPO by right clicking it and selecting Edit. Now drill down to:

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options.

Right-click on Domain Controller: LDAP Server Signing Requirements and select properties.

Check off Define this Policy Setting.

Select Require Signing in the drop-down box.

Require Signing

Require Signing

Click ok and accept the warning. You can follow the link to Microsft’s KB article describing what is going on.

Basically, older clients might be configured to use these unsigned binds, pretty much pre XP Pro SP2. If all of your clients are updated or using newer Windows versions, you don’t have to worry about configuring them to start signing. If you have older clients, and don’t know how to change them- you might want to leave this setting alone.

This is a good setting to change to lock down your server, and close unneccessary vulnerabilities in the path between client and server. A hacker might be able to intercept a unsigned packet and change it, then forwarding it to your server. The server would read the packet and execute actions based on the hackers unsigned packet.

As always if you break your network, it’s not my fault 🙂

I used to use Register.com as my trusted certificate provider. They issue a certificate which you install on the server. This certificate lets users connecting to remote web workplace that your server is legitimate, secure, and trustable. Without this certificate, users can sometimes get security warnings that vary by web browser. The IE error looks like this:

SSL Error IE

SSL Error

This is only a warning, and can be disregarded in cases where we know the server is safe. the problem with this is that end-users often do not understand the massage, or even do not read it. When they see this page they call support and complain about the internet being broken. Another bad thing about this error page is that to continue on to the site, you need to hit the red button. Be design, we associate red with stop, not continue.It is easy to get a certificate. We turn in some paperwork to a trusted authority, and they send us a certificate, which we then install. You server, upon creation, generates a private key. This key is what the trusted authority generates your SSL certificate on.My problem with Register.com is that I reinstalled my server. even though I have the same exact configuration, my private key was changed. Which means that my SSL was invalid. And Register.com was reluctant to issue me a new key. They had the special of $15 when I first bought it, though it is now $24. You get what you pay for, but in this case the simplest and cheapest the best. So after shopping around I see Comodo’s Positive SSL, only $9.95.So go to the Comodo website, and click to purchase a 1-year Positive SSL.
You will notice the address bar, displaying both a green color, https and a locked symbol. this is what we will achieve with the SSL.
Alright, lets generate our CSR for this website. On your server, open Windows SBS Console. Navigate to Network>Connectivity, and click Add a Trusted Certificate on the left.
SSL Choice

SSL Choice

There is a little disclaimer, click next. Select that you wish to buy a certificate from a certificate provider. The other option is for if you already have your certificate, and just need to install it. Click next.

Fill in the correct info in all of the boxes. This is an important step, and wrong information here might very well ruin the validity of a SSL Certificate. Enter all fields correctly, and write it down for later. Remember that the SSL is accompanying your domain name, which is mycompany.mysuffix. Mine is blankhealthcare.org, and my server added the prefix remote for my RWW and remote services. So I will enter remote.blankhealthcare.org in the Issued To: box, because this is the site I am securing. I blanked out the field to preserve confidentiality.
Verify SSL

Verify SSL

On the next screen, your CSR is generated. You need to copy all of that information that is in the gray box, including the title “—–BEGIN NEW CERTIFICATE REQUEST—–“. Hit the copy button. To be on the safe side, I also save it to a file, and put that file in a safe backup location.
CSR

CSR

In the next window, it asks if you have the cert, or will add it later. I just leave this box open. Now go back to the Comodo site and paste your CSR in the box they request it in. Select your software from the drop down box. In the case of SBS 2008 it will most likely be IIS 7.x and greater. Click one year.
I left the first 3 free upgrades in effect, and did not check the last one. No one will be purchasing on my site. Total cost is $9.95, excellent. Hit next.
This next step can be tricky. If you use an external domain to host your website, which then forwards email to your box using MX, the associated email accounts can be tricky. I do a little tricking myself. There is no address admin@mydomain.org, but Ill create a user really fast. then I grant myself full access permissions, and have the email sent there. I access it, and then shut down the account. You can have it sent to any of the other addresses in the list, though I would not suggest messing around with any important emails accounts such as postmaster, hostmaster, or webmaster.
Fill in your info. I am going to glaze over this part- if you don’t know how to fill in your own company information in a webform, press Ctrl-Alt-Del, select lock workstation, and go home for the afternoon.
Fill in credit info.
Click make payment.
 
 
 
 
 
 
 
 
 
 
They will confirm, and send out a few emails. One email is important. They mail a validation code to the mailbox you specified during set up. Go to Exchange Management Console. Expand user configuration, mailbox. Right click on the account for Admin (or whichever you specified. Click Full Access Permissions. Add yourself. You must be an Exchange Admin to do this. Now log into OWA, in in the top right corner, click your user name. in the box that appears, enter the name of the account you wish to open. Then read the email.
Copy down the validation code.
 
Click the link to enter the code, and paste it into the box. You will receive a confirmation.
Wait for the email to be sent. It can take a little while to arrive.
 
EDIT: At this point, after I validated I waited for one hour. I know the process takes a while, but I was eager to apply the certificate. So I entered a live chat on the Comodo website. After being transferred to a tech named “Jake”, he stopped responding. I gave him 8 minutes to reply to my question, before I hung up and emailed EVValidation. They received my ticket at 12PM….
 
Go back to the Add a Trsuted Certificate Wizard, and click next. You will see boxes to enter your certificate information.
Import Certificate
 
I open the email from Comodo that states my cert is attached, and save the zip file to my desktop. I then extract the folder to my desktop. Again, I blanked out my external domain name. The files inside of the zip are here:
Certificate Files

Certificate Files

I then follow a link in my email, oto make sure I am adding these correctly. I am not sure which cert is which, so Ill read up. The how to is here.
So I open IIS 7, click Server Certificates, and browse to my new files on the desktop. They are not in .cer format, so the wizard does not see them.
Wait a minute…. forget Comodo’s how to guide. Let’s go back to the Add a Trusted Certificate Wizard from the SBS console. Select Locate file. Click on the correct cert. this cert will be your domain name .crt. Mine is remote_blankhealthcare_org.crt.
Click that file, click next, and watch the wizard complete. Alternately you can copy the certificate text from the end of the email, and place it into the box provided instead of choosing the file.
Add Completion

Add Completion

When you head back to the connectivity tab of the SBS console, you will now see your certificate status as trusted- that means it is working correctly. There are 3 other certificates included in the zip file, let’s add those now. To do this, click Start>Run. type mmc.exe. When the MMC opens up, click file, Add/Remove snap-in.
Select Certificates, click add.
Click Computer account and Finish.
Click ok.
Expand Certificates.
Right click Intermediate Certificates, and select All Tasks>Import.
You will now select and Import two of the certificates in the zip file. the one titled
  • Intermediate CA Certificate – UTNAddTrustServerCA.crt -and-
  • Intermediate CA Certificate – PositiveSSLCA.crt
  • Once selected hit next until the wizard finishes, you shouldn’t have to change anything.

    You will also import your Root CA certificate, but instead of into Intermediate Certificates, Import this one into Trusted Root Certification Authorities.

    Now reset IIS and lets check it. Start>Run>type in iisreset. Now navigate to your site. Once on the site, click the lock next to the address bar. Click view certificate. the certificate should be listed as issued by Comodo and should be named PositiveSSL.

    Browser Certificate

    Browser Certificate

    Your done!

    Now Comodo offers some other stuff with the certificate for free, let’s set that up quickly, and also backup our certs and private keys so that if we crash we can reset this.

    You can sign up for HackerProof on the site linked in your email. I will opt to not sign up, as it seems a PC scan. I do not want a web service scanning my server, which already has antivirus anyhow.

    Lets backup our Private Key, then our Certificates. To back up your certificates, I suggest adding them to a zip file. Encrypting that zipfile with a backup. Then placing this zipfile on an encrypted and secure drive, preferrably offsite.

    To export your private key, go to certificates mmc. Drill down to the certificate you just installed. Right click and select Export. Include private key and anything else you wish. Password protect it, and save it in a secure location.

    You can insert the SSL Site Seal into your web site if you wish. I added mine to my background image, and disabled the link.

    EDIT: The SSL package that we just installed is the positiveSSL, which is the basic package for a SSL Certificate. Included in the $9.95 purchase is the EVSSL, Extended Validation. This must be completed by printing the two forms in the email. You must sign and enter your incorporation data, then fax them to Comodo. They will then validate your company, and issue you another more secure SSL, which can be installed the same way. This will give you the green security bar and lock icon.

    I was bored at home, and sick and tired of my Windows 7 computer not working the way I want it to, so I decided to give Ubuntu a test drive, and see how I like working on Linux rather than Windows. I will use this experience to dictate my next OS, as I have a major PC upgrade coming. Anyhow, the install is easy, and went very quickly.

    First, install VirtualBox on Windows 7. There are other Virtual programs, this is the one I chose. It can be downloaded here.

    Run the .exe, install it as you would anything. While this is happening, go and download the version of Ubuntu you want, with 10.10 Maverick being the latest. It can be found here.

    Once the install is finished, go ahead and run VirtualBox.

    VirtualBox

    VirtualBox

    This is what the program lo0ks like, though you wont see Ubuntu running just yet.

    To begin, you need to create a new Virtual Disk. Click New, then click next.

    Enter a name for your OS, I named mine… Ubuntu 10.10. I know, original.

    Then I selected Linux as the OS and Ubuntu as the version.

    Click next again. This is the memory allotment page. You can leave it at the default, or change it depending upon your system. I increased mine to 1024Mb, which enables the system to run a bit better.

    RAM Config

    RAM Config

    Click next. Select Boot Hard Disk, and then create new hard disk. You can obviously change this if you have one already. Click next. Click next on the new wizard that appears.

    Select if you want dynamic or static sized storage. This depends upon your needs and the size of your current HDD’s. Since I am only evaluation Ubuntu, I chose Fixed-sized storage. On the next page I named the virtual disk, in this case Ubuntu. I placed the file location to a large open HDD, and then moved the slider up to 30Gb, which will be the maximum size of the virtual disk that Linux will be installed on.

    Drive Size

    Drive Size

    Click Finish, then Finish again. Let it build the virtual disk, takes roughly 15 minutes for 30Gb.

    Now you will see your disk listed in the VirtualBox Console.

    Right click it and click settings.

    Change the boot order to CDRom then HDD. Change the processor settings if you wish, under System.

    Then click Start.

    Click on Devices, and then select CD/DVD Rom, then select more CD images. Click Add, then navigate to the Ubuntu iso that you downloaded, and select that.

    ISO Selection

    ISO Selection

    Now proceed with the Ubuntu install as normal.

    I will stop here, as configuring Ubuntu is another topic all together. A really great how to guide can be found here and here.

    %d bloggers like this: