Migrate and/or replace old cert server?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
Your guess is as good as mine, lol. I know it's not a good business practice, but "bad business practices" at my company are kinda like cereal and milk; they have always gone together for as long as I've known. Here's a great example reference: We have two main datacenters, which my boss refers to as "the cold room" (LOL). One of the datacenters is shared with a janitor's closet, and there's no lock on the door! Yep, literally hundreds of thousands of dollars worth of equipment that anyone in the entire building could access without restriction (one of the big dollar items in this "cold room" is an EMC SAN!!). Despite the fact that I've told my boss and upper management that this is crazy, they have done nothing to change it. Another example: The datacenter at one of our other sites has a crazy ghetto "cooling system" (if that's what you wanna call it). Prior to getting an air conditioner installed in this server room, the way they used to cool it was to open the server room door and put several floor fans in their blowing the hot air out (and that's STILL what they do when the air conditioner dies!) - and this "cold room" also has an EMC SAN!!! O_o
-
@Shuey and then there is the other issue... why there a SAN?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
When I look at the Certification Authority console on the server, and I look at "issued certificates", I see line items like this:
"Request ID", "Requester Name", "Certificate Template", "Certificate Effective Date", "Certificate Expiration Date", etc, and I see a bunch of workstations listed. -
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
SANs don't provide speed, safety, ease of use or anything like that. So there is no common use case why any application would be supported by a SAN.
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
When I look at the Certification Authority console on the server, and I look at "issued certificates", I see line items like this:
"Request ID", "Requester Name", "Certificate Template", "Certificate Effective Date", "Certificate Expiration Date", etc, and I see a bunch of workstations listed.I wonder if you just shut it off if anything bad happens.
-
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
There is no service associated with it? How does that work?
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
It doesn't appear that the cert services role on this server is communicating at all with our PACS servers (which we have no access rights to - our vendor only has access).
-
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey and then there is the other issue... why there a SAN?
For our PACS vendor and their equipment.
That alone wouldn't qualify as a reason.
It doesn't appear that the cert services role on this server is communicating at all with our PACS servers (which we have no access rights to - our vendor only has access).
That was a disconnected thought
-
I am using AD cert services for RADIUS authentication of wireless client devices and users.
-
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
Yeah, that's more of where I think of it being used.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
From what I understand (which is not much, lol), this server is what every workstation and user account on the domain gets its certificate from.
Which certificates would those be?
Where does this understanding come from? Is that documented by your predecessor somewhere?
-
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
-
@scottalanmiller said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in
I wonder if you just shut it off if anything bad happens.
It doesn't really work like that. Since he has only one server and it's not a service to be shutdown, you can't really do that.
There is no service associated with it? How does that work?
When did he say there was no service associated with it?
-
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
This makes more sense now! They USED to do radius authentication, as well as wireless authentication via the cert server. Since we no longer use either, it sounds like I might be safe to completely skip this project all together, and move on to the SharePoint project. What do you guys think?
-
@Dashrender said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).
Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.
I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.
Right.... so assuming one bad decision leading to another.
-
@Shuey said in Migrate and/or replace old cert server?:
@Dashrender said in Migrate and/or replace old cert server?:
@Mike-Davis said in Migrate and/or replace old cert server?:
@scottalanmiller said in Migrate and/or replace old cert server?:
@Shuey said in Migrate and/or replace old cert server?:
Is it common for every business/company that has a domain network to have a cert server for issuing/updating all of the AD account certificates?
Maybe I've lost my mind but... what is an "AD Account Certificate"?
You can integrate AD with certificate services so that the workstations use the certs for communication. I've never seen it done.
The only time I have used certificate services is to generate certificates for securing communication between Wireless APs and company owned devices.
While I haven't seen it, I've read about it in NPS (Network Policy Server setups). The machine comes on the network, checks in with the NPS, and the NPS determines what VLAN it should be on, etc, etc.
@wrx7m said in Migrate and/or replace old cert server?:
I am using AD cert services for RADIUS authentication of wireless client devices and users.
This makes more sense now! They USED to do radius authentication, as well as wireless authentication via the cert server. Since we no longer use either, it sounds like I might be safe to completely skip this project all together, and move on to the SharePoint project. What do you guys think?
Very likely. Honestly, kill the service on a Friday night, test some things on Sunday. See if on Monday morning anyone notices anything. Give it a month or two before you remove it completely. Just leave it shut down to see if anything breaks.