Replacing McAfee ePO server certificates

After web searching and trial and error I have found the way to replace the default web certificate on ePO 4.5 using a Microsoft CA. The process is pretty straightforward as long as each step is taken in turn.

• At various points you will be asked for the passwords for the private key, ensure you write this down.
• Ensure that the CA is trusted by your Enterprise CA and is added in the Trusted Root Certification Authorities list

1. Install Openssl onto the machine you are going to create the certificates. I used a windows 7 terminal as it had access to both the ePO and Certificate Authority web pages.

2. Create a folder labelled “Certs” on your C:\. This is to keep all files together.

3. Open an administrative command prompt (right click, run as) and change to the Openssl directory. By default this is C:\Openssl-win32\bin.

4. Enter the following command to create a new Private Key (note, type directly as I found cutting and pasting caused problems):

Openssl genrsa –des3 –out “c:\certs\mcafee.key” 2048

5. Enter the following command to export the private key from step 4:

Openssl rsa –in “c:\certs\mcafee.key” –out “c:\certs\unsecured.mcafee.key”

6. Enter the following command to create a Certificate Signing Request (.csr)using the key created in step 4:

Openssl req –new –key “c:\certs\mcafee.key” –out “c:\certs\mcafee.csr”

7. You will now be asked for the necessary information for your certificate as below (with sample answers). If you do not know exactly what information to insert most parts can be ignored but the vital section is “Common Name” as this the servername you will enter when connecting to ePO. In a single domain environment then the server name is good enough. If the server is likely to be accessed by machines external to your domain then use the server FQDN:

Enter pass phrase for mcafee.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Beaverton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Inc.
Organizational Unit Name (eg, section) []:Tech. Support
Common Name (eg, YOUR name) []:EPOSRV
Email Address []:support@xyz.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:

8. The “mcafee.csr” file will now be created using the information you have supplied in step 7. You will now need to submit this to your Certificate Authority (by default http://servername/certsrv).

9. Select Request a certificate link

10. Click the advanced certificate request.

11. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.

12. Open the certificate request in notepad and paste all text into the Saved Request box.

13. Click Submit.

14. Depending on your Certificate Authority configuration you may receive your certificate immediately or you may need to issue (or get someone else to issue) your certificate.

15. Click Download CA chain

16. Save as c:\certs\ePO.p7b

17. Double click c:\certs\ePO.p7b and navigate to c:\certs\epo.p7b>Certificates

18. Right click on the certificate shown and select Export, select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), Save as c:\certs\epocert.p7b

19. You should now have the following files available in c:\certs:

a. Epocert.p7b
b. Unsecured.mcafee.key

20. Navigate to your ePO server console and log in. Select Menu, Configuration, Server Settings

21. Select Server Certificate and click Edit

a. For the Certificate (P7B, PEM) select c:\certs\epocert.p7b.
b. For the Private key (PEM) select c:\certs\unsecured.mcafee.key.
c. In the Password field enter the password used when creating the certificates.

22. Reboot the ePO server

23. Now when you connect to the ePO server you should not receive any certificate warnings.

Advertisements

2008 R2 Domain Controllers have “unidentified network”

I have found two workarounds for this issue.

 

1. From Microsoft http://support.microsoft.com/kb/2001093 – they do not support this in a production environment!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name:  Repl Perform Initial Synchronizations
Value type:  REG_DWORD
Value data: 0

 

2. Edit the following registry entries to contain the correct domain name

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\networkname

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\machinedomain

WSUS install problem – no network connection

Server 2008 R2 install of WSUS fails with

 

Windows server update services – Installation failed.
The update cannot be found. There may be a network connection issue

Error: Group Policy pointing towards a non-functioning WSUS server. Change the following setting to Disabled/Not Configured

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Updates\Allow signed updates from an intranet Microsoft update service location

Server Core – Promote to Domain Controller

To carry out a successful dcpromo under Server Core you will need an answer file. Not all settings shown in the answer file below are needed (DNS server, GC etc)

[DCInstall]
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=cobranet.com
SiteName=SiteA
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=Yes
DNSDelegationUserName=adcobranet\sysadmin
DNSDelegationPassword=*******
UserDomain=cobranet.com
UserName=cobranet.com\stuartconey
Password=*********8
ReplicationSourceDC=dc1.cobranet.com
DatabasePath=”D:\NTDS”
LogPath=”E:\NTDS”
SYSVOLPath=”D:\SYSVOL”
SafeModeAdminPassword=*********

Full MS article here
http://support.microsoft.com/kb/947034

Server Core: Demoting a Domain Controller

To demote with a single command (assuming all default answers)

dcpromo /administratorpassword:password

To demote with alternate settings, options are:

The following is a list of unattend parameters for demotion (default values are enclosed in <>):

/AdministratorPassword:”administrator password” default is empty password

Specifies a local administrator account password when demoting a domain controller.

/DemoteFSMO:{Yes | <No>}

Indicates that (forced) demotion should continue even if a FSMO role is discovered on domain controller being demoted.

/DNSDelegationPassword:{“password” | *}

Specifies the password for the user name (account credentials) to use for creating or removing DNS delegation. Specify * to prompt the user to enter credentials.

/DNSDelegationUserName:”user_name”

Specifies the user name (account credentials) used for creating or removing DNS delegation. If no value is specified, the credentials used for the domain controller installation or removal are used.

/IgnoreIsLastDcInDomainMismatch:{Yes | <No>} default causes the wizard to prompt the user to continue and causes the command-line tool to exit with an error.

Specifies whether to continue the demotion of the domain controller when either the switch /IsLastDCInDomain:Yes is specified and dcpromo detects that there is actually another active domain controller in the domain, or when the switch /IsLastDCInDomain:No is specified and dcpromo cannot contact any other domain controller in the domain.

/IgnoreIsLastDNSServerForZone:{Yes | <No>}

Specifies whether to continue demotion despite that the domain controller is the last DNS server for one or more of the Active Directory-integrated DNS zones that it hosts.

/IsLastDCInDomain:{Yes | <No>}

Specifies whether the computer which is being demoted is the last domain controller in the domain.

/Password:{“password” | *}

Specifies the password corresponding to the user name (account credentials) used for the operation. Specify * to prompt the user to enter credentials.

/RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion, regardless of success.

/RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

/RemoveApplicationPartitions:{Yes | <No>}

Specifies whether to remove application partitions during the demotion of the domain controller.

/RemoveDNSDelegation:{<Yes> | No}

Specifies whether DNS delegations pointing to this DNS server should be removed from the parent zone.

/RetainDCMetadata:{Yes | <No>}

Specifies to retain domain controller metadata in the domain after AD DS removal. Delegated read-only domain controller (RODC) administrators should specify this option to demote an RODC.

/UserDomain:”domain_name”

Specifies the domain name for the user name (account credentials) used for the operation. It also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.

/UserName:”user_name”

Specifies the user name (account credentials) used for the operation. If no value is specified, the credentials of the current user are used for the operation.

Set Authoritive Time Source within domain (Primary DC)

From Technet

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
In the right pane, right-click AnnounceFlags, and then click Modify.
In Edit DWORD Value, type A in the Value data box, and then click OK.
Quit Registry Editor.
At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:
net stop w32time && net start w32time