Nathaniel Schumacher Server Integration Paul Burkholder Lab4 Report 3-09-09 Reflection: Never found out what was wrong

with our DNS then. Finally got it working after switching to a different win2k3 server and changing the DNS entries in Fedora reflecting the change. During this lab I was attempting to get a few services in ubuntu to autostart with the system. The chkconfig command is for Fedora and sysrc-conf is for debian systems, took a little bit to figure that out. I’m also not 100% sure on our CA setup. We have IIS running on all of our win2k3 servers to push out the certificate that way (according to the lab 7 instructions you gave us). Probably should have just installed IIS on the Root CA and have the clients download the CA from there, but time did not permit us to play with this any further. IIS was simple to setup once the certificates were working to a point. Procedure: Mainly followed this procedure when setting up the fedora machine http://fedorasolved.org/server-solutions/lamp-stack. We installed apache on the webserver by yum install httpd. To get the service to boot automatically we then used the chkconfig utility. chkconfig httpd on. After clearing out the firewall table we had connectivity via the fedora machines IP address. Then, to get the DNS setup right to go to apache.group3.com we added a CNAME entry in the fedora’s DNS. apache. IN CNAME group3-Fedora10. After restarting the named service we were then able to go directly to apache.group3.com. To join our server 03 boxes to the domain we had to enter the following DNS entries.
_ldap._tcp.group3.com. IN SRV 0 0 389 Win2k3.group3.com. _kerberos._tcp.group3.com. IN SRV 0 0 88 Win2k3.group3.com. _ldap._tcp.dc._msdcs.group3.com. IN SRV 0 0 389 Win2k3.group3.com. _kerberos._udp.group3.com. IN SRV 0 0 88 Win2k3.group3.com. _kerberos._tcp.dc._msdcs.group3.com. IN SRV 0 0 88 Win2k3.group3.com. _kpasswd._tcp.group3.com. IN SRV 0 0 464 Win2k3.group3.com. _kpasswd._udp.group3.com. IN SRV 0 0 464 Win2k3.group3.com. _ldap._tcp.gc._msdcs.group3.com. IN SRV 0 0 3268 Win2k3.group3.com. _gc._tcp.group3.com. IN SRV 0 0 3268 Win2k3.group3.com.

After the PCs were finally joined (with dcpromo) we continue with the CA install. Next, to setup IIS and our CAs we had to: – Go into the Control Panel ○ add/remove win components ○ Under Application Server  Select IIS and then continue into details

under WWW service ○ select Active Server Pages ○ select Certificate Services  Now the CA wizard starts up  selected Enterprise root CA  Use Custom settings, next  Key length changed to 4096  Used EntRoot1 for for the common name, next  This was setup similarly for the subordinate CAs ○ we used EntSub1, 2, 3, 4 (for the common name field) ○ For the CA Certificate Request form we pointed to the win2k3-3 server (which is our Root CA), with a common name of EntRoot1

After the CAs and IIS was setup on all our win2k3 servers we then distributed the key. – On the Root CA ○ we launched a browser and entered http://<subordinate’s ip address>/certsrv ○ that brought the certification renewal form up ○ clicked on request a certificate ○ clicked advanced ○ clicked submit a server request using a base-64-encoded ○ pasted the certificate that was located from the root CAs C:--.txt file ○ and submitted ○ a screen returns stating that request was successful – did this for each subordinate from the root CA To setup IIS with SSL certificate authentication – From the IIS manager console off of the root CA ○ got properties on the default web site ○ Directory Security Tab  Clicked Server Certificate • Wizard pops up • Create a New Certificate • Send the request immediately to an online CA – we now have https connection to our root ca through the subordinate CAs ○ https://10.10.3.153 – To change the DNS entries to correctly go to intranet.group3.com ○ On Fedora we added a CNAME  intranet. IN CNAME win2k3-3.  restart named – can now be accessed via https://intranet .group3.com ○ it comes to a login prompt and only the domain admin account we have could be accessed  administrator, pass: win2k3-3