Migrate and/or replace old cert server?
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
There is no service associated with it? How does that work?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
It doesn't appear that the cert services role on this server is communicating at all with our PACS servers (which we have no access rights to - our vendor only has access).
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
It doesn't appear that the cert services role on this server is communicating at all with our PACS servers (which we have no access rights to - our vendor only has access).
That was a disconnected thought
-
I am using AD cert services for RADIUS authentication of wireless client devices and users.
-
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
Yeah, that's more of where I think of it being used.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
Where does this understanding come from? Is that documented by your predecessor somewhere?
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
There is no service associated with it? How does that work?
When did he say there was no service associated with it?
-
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
This makes more sense now! They USED to do radius authentication, as well as wireless authentication via the cert server. Since we no longer use either, it sounds like I might be safe to completely skip this project all together, and move on to the SharePoint project. What do you guys think?
-
@Dashrender said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.
Right.... so assuming one bad decision leading to another.
-
@Shuey said in Migrate and/or replace old cert server?:
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
This makes more sense now! They USED to do radius authentication, as well as wireless authentication via the cert server. Since we no longer use either, it sounds like I might be safe to completely skip this project all together, and move on to the SharePoint project. What do you guys think?
Very likely. Honestly, kill the service on a Friday night, test some things on Sunday. See if on Monday morning anyone notices anything. Give it a month or two before you remove it completely. Just leave it shut down to see if anything breaks.
-
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
And uses certs for that?
-
@Shuey said in Migrate and/or replace old cert server?:
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
This makes more sense now! They USED to do radius authentication, as well as wireless authentication via the cert server. Since we no longer use either, it sounds like I might be safe to completely skip this project all together, and move on to the SharePoint project. What do you guys think?
Now you need to see what certs you're using for SharePoint. If you're using a public cert, then it sounds like you're right.
what did you replace your Wireless RADIUS setup with?
-
@Dashrender said in Migrate and/or replace old cert server?:
When did he say there was no service associated with it?
I think that was from me saying there wasn't a service that you could shutdown. I meant under windows services, there isn't one for certificate services that you can stop.
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
@Dashrender from here ^^^^
-
@scottalanmiller said in Migrate and/or replace old cert server?:
And uses certs for that?
yes. I've done it that way.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Dashrender said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.
Right.... so assuming one bad decision leading to another.
I know you've been using virtualization since the day VMWare rolled out their first internal only beta (yes I'm kidding), but I don't feel that the SMB really started using virtualization until 2010 or later. It's likely whoever setup this server was unfamiliar with virtualization and they were working with what they knew.
I guess you could say that the bad decision was that the business had a one man/very small IT internal staff. If they had a good MSP or consulting business partner, they might have have gone another route.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
And uses certs for that?
Yep, at least that's my understanding. It uses certs to assert who the machines are. Anyone without a cert is automatically assumed a guest and put on the appropriate network.
-
@Dashrender said in Migrate and/or replace old cert server?:
I know you've been using virtualization since the day VMWare rolled out their first internal only beta (yes I'm kidding),
Yeah, Ive been using it since the 1980s.
