13 January 2010

ntr old MOVIES LIST

N. T. Rama Rao is a great actor who played different number of rolls in Telugu films.
His acted in different rolls in ancient spiritual stories.

Itihasic Rolls
  1. Sri Rama
  2. Sri Krishna
  3. God Maha Vishnu
  4. God Shiva
  5. Sri Venkateshwara
  6. Ravana(Lanka King)
  7. Dhuryodhana
  8. Bheema
  9. Keechaka
  10. Arjuna
  11. Karna
  12. Bruhannala
  13. Bhishma
  14. Viswamitra Maharshi
  15. Valmiki
  16. Nala Maharaj
  17. Raja Harischandra

Devotional Roll

Pundarika

Historical
  1. Sri Krishna Devaraya
  2. Brahmanaidu
  3. Raja of Bobbili
  4. Shivaji(gust)
  5. Akbar
  6. Chandra Gupta
  7. Ashoka
  8. Alluri Sitarama Raju(gust)
  9. Saranga Dhara
  10. Veera Pandya Katta Brahmanna
Here is the big list of his movies.
Note: The Red Star
* pictures are most hit pictures of NTR

1. Shrinatha Kavi Sarvabhowma (1993)
2. Major Chandrakant (1993)
3. Samrat Ashok (1992)
4. Brahmarishi Vishwamitra (1991)
5. Shrimad Virat Veerabrahmendra Swami Charitra (1984)
6. Chanda Sasanudu (1983)
7. Simham Navindi (1983)
8. Anuraga Devatha (1982)*
9. Bobbili Puli (1982)*
10. Justice Chowdhary (1982)*
11. Kaliyuga Ramudu (1982)
12. Naa Desam (1982)
13. Vayyari Bhamulu Vagalamari Bhartulu (1982)
14. Tirugu Leni Manishi (1981)
15. Kondaveeti Simham (1981)*
16. Satyam Shivam (1981)
17. Aatagadu (1980)
18. Circus Ramudu (1980)
19. Sardar Papa Rayudu (1980)*
20. Vishwa Roopam (1980)
21. Driver Ramudu (1979)*
22. Shrimad Virata Parvam (1979)
23. Shri Tirupati Venkateswara Kalyanam (1979)
24. Vetagadu (1979)*
25. Yugandhar (1979)*
26. Akbar Saleem Anarkali (1978)
27. KD No 1 (1978)
28. Shri Rama Pattabhishekham (1978)
29. Simha Baludu (1978)
30. Adavi Ramudu (1977)*
31. Chanakya Chandragupta (1977)*
32. Daana Veera Shura Karna (1977)*
33. Aradhana (1976)*
34. Manushulanta Okkate (1976)*
35. Yamagola (1975)*
36. Yeduruleni Manishi (1975)
37. Ammayi Pelli (1974)
38. Deeksha (1974)
39. Manushullo Devudu (1974)
40. Nippulanti Manishi (1974)
41. Sree Rama Anjaneya Yuddham (1974)*
42. Tatamma Kala (1974)
43. Deshoddharakulu (1973)
44. Devudu Chesina Manushulu (1973)*
45. Palletoori Chinnodu (1973)
46. Aaradhana (1972)*
47. Badi Panthulu (1972)*
48. Chinnanaati Snehithulu (1971)
49. Jeevitha Chakram (1971)
50. Petthamdaarlu (1971)
51. Rajakota Rahasyam (1971)*
52. Shri Krishna Satya (1971)*
53. Alibaba 40 Dongalu (1970)*
54. Maathru Devatha (1970)
55. Nirdoshi (1970)*
56. Shri Krishna Vijayam (1970)*
57. Lord Krishna Talla Pellamma (1970)
58. Bhale Mastaru (1969)
59. Ekaveera (1969)*
60. Gopaludu Bhoopaludu (1969)*
61. Katha Nayakudu (1969)
62. Nindu Hridayalu (1969)
63. Bagdad Gajadonga (1968)*
64. Bhagyachakram (1968)*
65. Kalisochchina Adrushtam (1968)
66. Niluvu Dopidi (1968)
67. Nindu Samsaram (1968)
68. Ninne Pelladuta (1968)
69. Umachandi Gauri Shankarula Katha (1968)
70. Varakatnam (1968)
71. Devasimha Kanchukota (1967)
72. Aada Paduchu (1967)
73. Satyam Apoorva Piravaigal (1967)
74. Bhama Vijayam (1967)
75. Shri Krishnavataram (1967/I)*
76. Ummadi Kutumbam (1967)*
77. Adugu Jaadalu (1966)
78. Palnati Yudham (1966)*
79. Paramanandayya Shishyula Katha (1966)*
80. Shri Krishna Pandaviyam (1966)*
81. Shri Krishna Tulabharam (1966/I)*
82. Chitti Chellelu (1965)
83. CID (1965)
84. Gudi Gantalu (1965)*
85. Naadi Aada Janme (1965)*
86. Satya Harishchandra (1965/II)*
87. Todu Needa (1965)
88. Babruvahana (1964)*
89. Bobbili Yudham (1964)*
90. Daagudumootalu (1964)*
91. Devatha (1964)*
92. Manchi Manishi (1964)*
93. Ramadasu (1964)
94. Ramudu Bheemudu (1964)*
95. Bheemudu Varasatwam (1964)
96. Vivaha Bandham (1964)
97. Chandrasekhar Manchi Chedu (1963)
98. Narthanasala (1963)*
99. Tirupathamma Katha (1963)*
100. Lakshadhikari (1963)*
101. Bandipotu (1963)*
102. Paruvu Prathishta (1963)
103. Lava Kusa (1963/I)*
104. Savati Koduku (1963)
105. Valmiki (1963/I)*
106. Valmiki Maharshi Pempudu Kuthuru (1963)
107. Irugu - Porugu (1963)
108. Sri Krishnarjuna Yudham (1963)*
109. Apta Mithrulu (1963)
110. Karna (1963)
111. Karnan (1963)
112. Atma Bandhuvu (1962)*
113. Raktha Sambandham (1962)*
114. Swarnamanjari (1962)
115. Mahamantri Timmarasu (1962)*
116. Gundamma Katha (1962)*
117. Dakshayagnam (1962/I)*
118. Bhishma (1962)*
119. Tiger Ramudu (1962)
120. Gaali Medalu (1962)
121. Gulebakavali Katha (1962)*
122. Sri Srikakula Andhra Mahavishnuvu Katha (1962)*
123. Taxi Ramudu (1961)
124. Kalasivunte Kaladu Sukham (1961)*
125. Jagadeka Veeruni Katha (1961)*
126. Santa (1961)
127. Pendli Pilupu (1961)
128. Sati Sulochana (1961)
129. Intiki Deepam Illalu (1961)
130. Sri Seetha Rama Kalyanam (1961)*
131. Pandava Vanavasam (1961/I)*
132. Bhatti Vikramarka (1960)*
133. Deepavali (1960)*
134. Sri Venkateswara Mahatmyam (1960)*
135. Vimala (1960)
136. Balangamma (1959/I)*
137. Raja Makutam (1959/I)*
138. Rechukka Pragatichukka (1959)*
139. Sabhash Ramudu (1959)*
140. Sri Panduranga Mahatyam (1959)*
141. Raja Nandini (1958)
142. Bhookailas (1958)*
143. Appu Chesi Pappu Koodu (1958)*
144. Intiguttu (1958)
145. Maya Bazaar (1957/I)*
146. Bhagya Rekha (1957)*
147. Maya Bazaar (1957/II)*
148. Nala Damayanti (1957)*
149. Panduranga Mahatyam (1957)*
150. Sarangadhara (1957)*
151. Vinayaka Chaviti (1957)*
152. Chiranjeevulu (1956)*
153. Tenali Ramakrishna (1956/I)*
154. Charana Daasi (1956)*
155. Chintamani (1956)*
156. Jayam Manade (1956)*
157. Marmaveeran (1956)
158. Penki Pellam (1956)*
159. Sontha Ooru (1956)
160. Jayasimha (1955)*
161. Kanyasulkam (1955)*
162. Missamma (1955)*
163. Rani Ratnaprabha (1955)*
164. Santosham (1955)
165. Parivartana (1954)
166. Aggi Ramudu (1954)
167. Raju-Pedha (1954)*
168. Rechukka (1954)*
169. Todu Dongalu (1954)
170. Vaddante Dabbu (1954)
171. Chandraharam (1954)*
172. Pitchi Pullaiah (1953)
173. Ammalakkalu (1953)
174. Chandirani (1953/I)
175. Chandirani (1953/II)
176. Marumagal (1953)
177. Sangham (1953)*
178. Daasi (1952)
179. Palletooru (1952)
180. Pelli Chesi Choodu (1952)*
181. Tingu Ranga (1952)
182. Malliswari (1951)*
183. Patala Bhairavi (1951)*
184. Navvite Navaratnalu (1951)
185. Maya Rambha (1950)
186. Palletoori Pilla (1950)*
187. Shavukaru (1950)*
188. Satyam Samsaram (1950)*
189. Mana Desam (1949)*

As director

1. Samrat Ashok (1992)
2. Brahmarishi Vishwamitra (1991)
3. Shrimad Virat Veerabrahmendra Swami Charitra (1984)
4. Chanda Sasanudu (1983)
5. Shrimad Virata Parvam (1979)
6. Shri Tirupati Venkateswara Kalyanam (1979)
7. Akbar Saleem Anarkali (1978)
8. Shri Rama Pattabhishekham (1978)
9. Chanakya Chandragupta (1977)
10. Daana Veera Shura Karna (1977)
11. Tatamma Kala (1974)
12. Talla Pellamma (1970)
13. Varakatnam (1968)
14. Shri Krishna Pandaviyam (1966)
15. Gulebakavali Katha (1962)
16. Sri Seetha Rama Kalyanam (1961)
-------------------
Thanks,

Jonathan Swift  - "May you live every day of your life."

ntr old MOVIES LIST

N. T. Rama Rao is a great actor who played different number of rolls in Telugu films.
His acted in different rolls in ancient spiritual stories.

Itihasic Rolls
  1. Sri Rama
  2. Sri Krishna
  3. God Maha Vishnu
  4. God Shiva
  5. Sri Venkateshwara
  6. Ravana(Lanka King)
  7. Dhuryodhana
  8. Bheema
  9. Keechaka
  10. Arjuna
  11. Karna
  12. Bruhannala
  13. Bhishma
  14. Viswamitra Maharshi
  15. Valmiki
  16. Nala Maharaj
  17. Raja Harischandra

Devotional Roll

Pundarika

Historical
  1. Sri Krishna Devaraya
  2. Brahmanaidu
  3. Raja of Bobbili
  4. Shivaji(gust)
  5. Akbar
  6. Chandra Gupta
  7. Ashoka
  8. Alluri Sitarama Raju(gust)
  9. Saranga Dhara
  10. Veera Pandya Katta Brahmanna
Here is the big list of his movies.
Note: The Red Star
* pictures are most hit pictures of NTR

1. Shrinatha Kavi Sarvabhowma (1993)
2. Major Chandrakant (1993)
3. Samrat Ashok (1992)
4. Brahmarishi Vishwamitra (1991)
5. Shrimad Virat Veerabrahmendra Swami Charitra (1984)
6. Chanda Sasanudu (1983)
7. Simham Navindi (1983)
8. Anuraga Devatha (1982)*
9. Bobbili Puli (1982)*
10. Justice Chowdhary (1982)*
11. Kaliyuga Ramudu (1982)
12. Naa Desam (1982)
13. Vayyari Bhamulu Vagalamari Bhartulu (1982)
14. Tirugu Leni Manishi (1981)
15. Kondaveeti Simham (1981)*
16. Satyam Shivam (1981)
17. Aatagadu (1980)
18. Circus Ramudu (1980)
19. Sardar Papa Rayudu (1980)*
20. Vishwa Roopam (1980)
21. Driver Ramudu (1979)*
22. Shrimad Virata Parvam (1979)
23. Shri Tirupati Venkateswara Kalyanam (1979)
24. Vetagadu (1979)*
25. Yugandhar (1979)*
26. Akbar Saleem Anarkali (1978)
27. KD No 1 (1978)
28. Shri Rama Pattabhishekham (1978)
29. Simha Baludu (1978)
30. Adavi Ramudu (1977)*
31. Chanakya Chandragupta (1977)*
32. Daana Veera Shura Karna (1977)*
33. Aradhana (1976)*
34. Manushulanta Okkate (1976)*
35. Yamagola (1975)*
36. Yeduruleni Manishi (1975)
37. Ammayi Pelli (1974)
38. Deeksha (1974)
39. Manushullo Devudu (1974)
40. Nippulanti Manishi (1974)
41. Sree Rama Anjaneya Yuddham (1974)*
42. Tatamma Kala (1974)
43. Deshoddharakulu (1973)
44. Devudu Chesina Manushulu (1973)*
45. Palletoori Chinnodu (1973)
46. Aaradhana (1972)*
47. Badi Panthulu (1972)*
48. Chinnanaati Snehithulu (1971)
49. Jeevitha Chakram (1971)
50. Petthamdaarlu (1971)
51. Rajakota Rahasyam (1971)*
52. Shri Krishna Satya (1971)*
53. Alibaba 40 Dongalu (1970)*
54. Maathru Devatha (1970)
55. Nirdoshi (1970)*
56. Shri Krishna Vijayam (1970)*
57. Lord Krishna Talla Pellamma (1970)
58. Bhale Mastaru (1969)
59. Ekaveera (1969)*
60. Gopaludu Bhoopaludu (1969)*
61. Katha Nayakudu (1969)
62. Nindu Hridayalu (1969)
63. Bagdad Gajadonga (1968)*
64. Bhagyachakram (1968)*
65. Kalisochchina Adrushtam (1968)
66. Niluvu Dopidi (1968)
67. Nindu Samsaram (1968)
68. Ninne Pelladuta (1968)
69. Umachandi Gauri Shankarula Katha (1968)
70. Varakatnam (1968)
71. Devasimha Kanchukota (1967)
72. Aada Paduchu (1967)
73. Satyam Apoorva Piravaigal (1967)
74. Bhama Vijayam (1967)
75. Shri Krishnavataram (1967/I)*
76. Ummadi Kutumbam (1967)*
77. Adugu Jaadalu (1966)
78. Palnati Yudham (1966)*
79. Paramanandayya Shishyula Katha (1966)*
80. Shri Krishna Pandaviyam (1966)*
81. Shri Krishna Tulabharam (1966/I)*
82. Chitti Chellelu (1965)
83. CID (1965)
84. Gudi Gantalu (1965)*
85. Naadi Aada Janme (1965)*
86. Satya Harishchandra (1965/II)*
87. Todu Needa (1965)
88. Babruvahana (1964)*
89. Bobbili Yudham (1964)*
90. Daagudumootalu (1964)*
91. Devatha (1964)*
92. Manchi Manishi (1964)*
93. Ramadasu (1964)
94. Ramudu Bheemudu (1964)*
95. Bheemudu Varasatwam (1964)
96. Vivaha Bandham (1964)
97. Chandrasekhar Manchi Chedu (1963)
98. Narthanasala (1963)*
99. Tirupathamma Katha (1963)*
100. Lakshadhikari (1963)*
101. Bandipotu (1963)*
102. Paruvu Prathishta (1963)
103. Lava Kusa (1963/I)*
104. Savati Koduku (1963)
105. Valmiki (1963/I)*
106. Valmiki Maharshi Pempudu Kuthuru (1963)
107. Irugu - Porugu (1963)
108. Sri Krishnarjuna Yudham (1963)*
109. Apta Mithrulu (1963)
110. Karna (1963)
111. Karnan (1963)
112. Atma Bandhuvu (1962)*
113. Raktha Sambandham (1962)*
114. Swarnamanjari (1962)
115. Mahamantri Timmarasu (1962)*
116. Gundamma Katha (1962)*
117. Dakshayagnam (1962/I)*
118. Bhishma (1962)*
119. Tiger Ramudu (1962)
120. Gaali Medalu (1962)
121. Gulebakavali Katha (1962)*
122. Sri Srikakula Andhra Mahavishnuvu Katha (1962)*
123. Taxi Ramudu (1961)
124. Kalasivunte Kaladu Sukham (1961)*
125. Jagadeka Veeruni Katha (1961)*
126. Santa (1961)
127. Pendli Pilupu (1961)
128. Sati Sulochana (1961)
129. Intiki Deepam Illalu (1961)
130. Sri Seetha Rama Kalyanam (1961)*
131. Pandava Vanavasam (1961/I)*
132. Bhatti Vikramarka (1960)*
133. Deepavali (1960)*
134. Sri Venkateswara Mahatmyam (1960)*
135. Vimala (1960)
136. Balangamma (1959/I)*
137. Raja Makutam (1959/I)*
138. Rechukka Pragatichukka (1959)*
139. Sabhash Ramudu (1959)*
140. Sri Panduranga Mahatyam (1959)*
141. Raja Nandini (1958)
142. Bhookailas (1958)*
143. Appu Chesi Pappu Koodu (1958)*
144. Intiguttu (1958)
145. Maya Bazaar (1957/I)*
146. Bhagya Rekha (1957)*
147. Maya Bazaar (1957/II)*
148. Nala Damayanti (1957)*
149. Panduranga Mahatyam (1957)*
150. Sarangadhara (1957)*
151. Vinayaka Chaviti (1957)*
152. Chiranjeevulu (1956)*
153. Tenali Ramakrishna (1956/I)*
154. Charana Daasi (1956)*
155. Chintamani (1956)*
156. Jayam Manade (1956)*
157. Marmaveeran (1956)
158. Penki Pellam (1956)*
159. Sontha Ooru (1956)
160. Jayasimha (1955)*
161. Kanyasulkam (1955)*
162. Missamma (1955)*
163. Rani Ratnaprabha (1955)*
164. Santosham (1955)
165. Parivartana (1954)
166. Aggi Ramudu (1954)
167. Raju-Pedha (1954)*
168. Rechukka (1954)*
169. Todu Dongalu (1954)
170. Vaddante Dabbu (1954)
171. Chandraharam (1954)*
172. Pitchi Pullaiah (1953)
173. Ammalakkalu (1953)
174. Chandirani (1953/I)
175. Chandirani (1953/II)
176. Marumagal (1953)
177. Sangham (1953)*
178. Daasi (1952)
179. Palletooru (1952)
180. Pelli Chesi Choodu (1952)*
181. Tingu Ranga (1952)
182. Malliswari (1951)*
183. Patala Bhairavi (1951)*
184. Navvite Navaratnalu (1951)
185. Maya Rambha (1950)
186. Palletoori Pilla (1950)*
187. Shavukaru (1950)*
188. Satyam Samsaram (1950)*
189. Mana Desam (1949)*

As director

1. Samrat Ashok (1992)
2. Brahmarishi Vishwamitra (1991)
3. Shrimad Virat Veerabrahmendra Swami Charitra (1984)
4. Chanda Sasanudu (1983)
5. Shrimad Virata Parvam (1979)
6. Shri Tirupati Venkateswara Kalyanam (1979)
7. Akbar Saleem Anarkali (1978)
8. Shri Rama Pattabhishekham (1978)
9. Chanakya Chandragupta (1977)
10. Daana Veera Shura Karna (1977)
11. Tatamma Kala (1974)
12. Talla Pellamma (1970)
13. Varakatnam (1968)
14. Shri Krishna Pandaviyam (1966)
15. Gulebakavali Katha (1962)
16. Sri Seetha Rama Kalyanam (1961)
-------------------
Thanks,

Jonathan Swift  - "May you live every day of your life."

12 January 2010

SCCM Multi Forest Design


Configuration Manager in Multiple Active Directory Forests
http://technet.microsoft.com/en-us/library/bb694003.aspx
 
Best Practices for Hierarchy Security
http://technet.microsoft.com/en-us/library/bb680386.aspx
 
Configuration Manager Site to Site Communications
http://technet.microsoft.com/en-us/library/bb694289.aspx
 

SCCM Multi Forest Design


Configuration Manager in Multiple Active Directory Forests
http://technet.microsoft.com/en-us/library/bb694003.aspx
 
Best Practices for Hierarchy Security
http://technet.microsoft.com/en-us/library/bb680386.aspx
 
Configuration Manager Site to Site Communications
http://technet.microsoft.com/en-us/library/bb694289.aspx
 

10 January 2010

OSD Part2 done by me for PKI...........Hope this ends Native mode story from my Pocket

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.

  2. Right-click <site code> - <site name> and then click Properties.

  3. On the Site Mode tab in the site properties dialog box, select Native mode.

  4. In the Site server signing certificate section, click Browse to view the available certificates on the site server's local store in the Available Certificates dialog box. Select the site server signing certificate that contains the site code in the Issued to field and includes Document Signing in the Intended Purpose field. Then click OK to close the Available Certificates dialog box.

  5. If you are unable to browse to the site server's certificate store, you can manually enter the certificate's thumbprint in the Thumbprint text box. Configuration Manager will attempt to match the thumbprint to a certificate, and if this is successful, the certificate friendly name will be displayed in the Thumbprint field. If Configuration Manager is unable to match the thumbprint to a certificate, you will be prompted to choose whether you want to continue.

  6. When you have either selected the certificate or entered the thumbprint, click OK to close the site properties dialog box.
    -------------------
    Thanks,

    Ted Turner  - "Sports is like a war without the killing."

OSD Part2 done by me for PKI...........Hope this ends Native mode story from my Pocket

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.

  2. Right-click <site code> - <site name> and then click Properties.

  3. On the Site Mode tab in the site properties dialog box, select Native mode.

  4. In the Site server signing certificate section, click Browse to view the available certificates on the site server's local store in the Available Certificates dialog box. Select the site server signing certificate that contains the site code in the Issued to field and includes Document Signing in the Intended Purpose field. Then click OK to close the Available Certificates dialog box.

  5. If you are unable to browse to the site server's certificate store, you can manually enter the certificate's thumbprint in the Thumbprint text box. Configuration Manager will attempt to match the thumbprint to a certificate, and if this is successful, the certificate friendly name will be displayed in the Thumbprint field. If Configuration Manager is unable to match the thumbprint to a certificate, you will be prompted to choose whether you want to continue.

  6. When you have either selected the certificate or entered the thumbprint, click OK to close the site properties dialog box.
    -------------------
    Thanks,

    Ted Turner  - "Sports is like a war without the killing."

How to confirm the Native is working????

How to confirm the Native is working???? google the below words for answer
 
How to Identify Client Certificate Issues in Native Mode
How to Determine Whether Client Computers Are Ready for Native Mode
How to Specify the Client Certificate Selection Criteria
How to Specify the Client Certificate Store
How to Assign the Fallback Status Point to Configuration Manager Client Computers

-------------------
Thanks,

Charles de Gaulle  - "The better I get to know men, the more I find myself loving dogs."

How to confirm the Native is working????

How to confirm the Native is working???? google the below words for answer
 
How to Identify Client Certificate Issues in Native Mode
How to Determine Whether Client Computers Are Ready for Native Mode
How to Specify the Client Certificate Selection Criteria
How to Specify the Client Certificate Store
How to Assign the Fallback Status Point to Configuration Manager Client Computers

-------------------
Thanks,

Charles de Gaulle  - "The better I get to know men, the more I find myself loving dogs."

OSD Part1 done by me for PKI End >>>>Will post the next Part



This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures that guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Configuration Manager 2007 requires to operate in native mode. Native mode offers the highest level of security for a Configuration Manager 2007 site, and it is a requirement for Internet-based client management. For more information about native mode in Configuration Manager, see Benefits of Using Native Mode.

The procedures in this example refer to a Microsoft PKI solution, using an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept.

Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment. For more information about the possible deployment methods, see Deploying the PKI Certificates Required for Native Mode.

Note
The use of a Microsoft PKI solution is recommended to support Configuration Manager 2007, but it is not required. Configuration Manager 2007 uses standard PKI certificates, supporting version 3 of the x.509 certificate format. If your existing PKI deployment can create, deploy, and manage the certificates that Configuration Manager 2007 requires for native mode, you can use your existing PKI infrastructure. Consult your PKI documentation for deployment details.

In This Section

This example contains the following sections, which cover creating and deploying the basic certificates that are required for a Configuration Manager 2007 site to operate in native mode for intranet connectivity:

Test Network Requirements

Overview

Deploying the Site Server Signing Certificate

Deploying the Web Server Certificate

Deploying the Client Certificate

Test Network Requirements

The example has the following requirements:

  • The test network is running Active Directory Domain Services with Windows Server 2008, and it is installed as a single domain, single forest.
  • You have a domain controller running Windows Server 2008 Enterprise Edition, which has installed on it the Active Directory Certificate Services role, and it is configured as an enterprise root certification authority (CA).
  • You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition) installed on it and that is designated as a member server, and you have Internet Information Services (IIS) installed on it.
  • You have one Windows Vista client with the latest service pack installed, and this computer is configured with a computer name that comprises ASCII characters and is joined to the domain.
  • You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.

Overview

PKI certificates must be installed prior to configuring Configuration Manager 2007 to operate in native mode. This example does not include installing and configuring Configuration Manager 2007, but it provides the steps to provision computers with the certificates they require to operate in Configuration Manager 2007 native mode.

The following table lists the three types of PKI certificates that are required and describes how they are used in a native mode Configuration Manager 2007 site:

Certificate Requirement Certificate Description

Site server signing certificate

This certificate is installed on the server that will be the Configuration Manager 2007 site server. It is used to sign client policies.

Web server certificate

This certificate is installed on servers that will be Configuration Manager 2007 site systems, with roles such as the management point and distribution point. It is used to encrypt data and authenticate the server to clients.

Client certificate

This certificate is installed on computers that will be Configuration Manager 2007 clients, and it is installed on the management point. It is used to authenticate the client to site systems; on the management point it is used to monitor the server's operational status.

For more information about the certificates, see Certificate Requirements for Native Mode.

Follow the steps in this example to achieve the following goals:

  • Provision the member server with a Configuration Manager 2007 site server signing certificate so that it can operate as a Configuration Manager 2007 site server in native mode.
  • Provision the member server with a Web server certificate so that it can operate as a Configuration Manager 2007 site system server in native mode that can run any of these Configuration Manager site system roles: management point, distribution point, software update point, and state migration point.
  • Provision a workstation and the member server with a client certificate so that the workstation can operate as a Configuration Manager 2007 native mode client, and so that the management point can report its status to the site server.

Deploying the Site Server Signing Certificate

This step has four procedures:

  • Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority
  • Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server
  • Approving the Site Server Signing Certificate on the Certification Authority
  • Installing the Site Server Signing Certificate on the Server That Will Run the Configuration Manager 2007 Site Server

Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority

To create and issue the site server signing certificate template
  1. On the domain controller running the Windows Server 2008 console, click Start, click Programs, click Administrative Tools, and then click Certification Authority.

  2. Expand the name of your certification authority (CA), and then click Certificate Templates.

  3. Right-click Certificate Templates, and then click Manage to load the Certificates Templates Console.

  4. In the results pane, right-click the entry that displays Computer in the Template Display Name column, and then click Duplicate Template.

  5. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    Important
    Do not select Windows 2008 Server, Enterprise Edition.

  6. In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as ConfigMgr Site Server Signing Certificate.

  7. Click the Issuance Requirements tab, and then select CA certificate manager approval.

  8. Click the Subject Name tab, and then click Supply in the request.

  9. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

  10. In the Edit Application Policies Extension dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Remove.

  11. In the Edit Application Policies Extension dialog box, click Add.

  12. In the Add Application Policy dialog box, select Document Signing as the only application policy, and then click OK.

  13. In the Properties of New Template dialog box, you should now see listed as the description of Application policies: Document Signing.

  14. Click OK, click OK to close the Properties of New Template, and then close the Certificate Templates Console.

  15. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  16. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Site Server Signing Certificate, and then click OK.

    Note
    If you cannot complete steps 15 or 16, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure certificate templates with Windows Server Standard Edition and Active Directory Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008.

  17. Do not close the Certification Authority console.

Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server

To request the site server signing certificate
  1. On the member server, create a folder to contain your certificate files.

  2. Open Notepad, or a similar text file of your choice. Copy and paste the following text into the file:

     
    [NewRequest] Subject = "CN=The site code of this site server is <site-code>" MachineKeySet = True [RequestAttributes] CertificateTemplate = ConfigMgrSiteServerSigningCertificate 
  3. Replace the text <site-code> with your own site code. For example, if your site code is A01, the line will become: Subject = "CN=The site code of this site server is A01".

    Important
    Both the site code and the name of the template are case sensitive. Make sure that you specify the site code exactly as it appears in the Configuration Manager console, and that you specify the site server signing certificate template exactly as it appears as the Template name (not the Template display name) in the certificate template properties.

  4. Save the file with the name sitesigning.inf, and save it in the certificates folder that you created.

  5. Open a command window in the certificates folder that you created, type the following command, and then press Enter:

    certreq –new sitesigning.inf sitesigning.req

  6. Type the following command, and then press Enter:

    certreq –submit sitesigning.req sitesigning.cer

  7. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK. When the certificate is issued, you see RequestId: <number> displayed, where <number> is the next sequential certificate request to the issuing CA. Make a note of this number.

  8. Do not close the command prompt.

Approving the Site Server Signing Certificate on the Certification Authority

To approve the site server signing certificate
  1. On the domain controller, in Certification Authority, click Pending Requests.

  2. In the results pane, you will see the requested certificate with the Request ID that was displayed with the last Certreq command.

  3. Right-click the requested certificate, click All Tasks, and then click Issue.

  4. Do not close the Certification Authority console.

Installing the Site Server Signing Certificate on the Server That Will Run the Configuration Manager 2007 Site Server

To retrieve and install the site server signing certificate
  1. On the member server, in the command window, type the following command, and then press Enter:

    certreq –retrieve <number> sitesigning.cer

    For example, if the request number previously displayed was 12, type: certreq –retrieve 12 sitesigning.cer

  2. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK.

  3. Type the following command, and then press Enter:

    certreq –accept sitesigning.cer

The member server is now provisioned with a Configuration Manager 2007 site server signing certificate.

Deploying the Web Server Certificate

This step has four procedures:

  • Creating a Windows Security Group for the Site System Servers
  • Creating and Issuing the Web Server Certificate Template on the Certification Authority
  • Requesting the Web Server Certificate
  • Configuring IIS to Use the Web Server Certificate

Creating a Windows Security Group for the Site System Servers (Management Point, Distribution Point, Software Update Point, State Migration Point)

To create a Windows security group for the site system server
  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Right-click the domain, click New, and then click Group.

  3. In the New Object – Group dialog box, enter ConfigMgr IIS Servers as the Group name, and then click OK.

  4. In Directory Users and Computers, right-click the group you have just created, and then click Properties.

  5. Click the Members tab, and then click Add to select the member server.

    Note
    In our test environment, there is only one server to add. However, in a production environment, it is likely that various servers will host the Configuration Manager 2007 site systems that require certificates, such as the site's management point and distribution points. It is therefore good practice to assign permissions to a group and add the site systems that require the same type of certificate. Creating a security group for these servers enables you to assign permissions so that only these servers can use these certificates.

  6. Click OK, and then click OK again to close the group properties dialog box.

  7. Restart your member server (if running) so that it can pick up the new group membership.

Creating and Issuing the Web Server Certificate Template on the Certification Authority

To create and issue the Web server certificate template on the certification authority
  1. On the domain controller, while still running the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

  2. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    Important
    Do not select Windows 2008 Server, Enterprise Edition.

  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

  5. Click the Subject Name tab, click Build from this Active Directory information is selected, and then select one of the following for the Subject name format:

    • Common name: Select this option if you will use fully qualified domain names for site systems in Configuration Manager (required for Internet-based client management, and recommended for clients on the intranet).
    • Fully distinguished name: Select this option if you will not use fully qualified domain names in Configuration Manager.
  6. Clear the option User principal name (UPN).

  7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

  9. Select the Enroll permission for this group, and do not clear the Read permission.

  10. Click OK, and close the Certificate Templates Console.

  11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  12. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Web Server Certificate, and then click OK.

  13. Do not close the Certification Authority console.

Requesting the Web Server Certificate

To request the Web server certificate
  1. Restart the member server to ensure it can access the certificate template with the configured permission.

  2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. In the Add or Remove Snap-ins dialog box, click OK.

  7. In the console, expand Certificates (Local Computer), and then click Personal.

  8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  9. On the Before You Begin page, click Next.

  10. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

  11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

  12. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate

To configure IIS to use the Web server certificate
  1. On the member server, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

  3. Click the https entry, and then click Edit.

  4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.

    Note
    If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box.

  5. Click OK in the Edit Site Binding dialog box, and then click Close.

  6. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager 2007 Web server certificate.

Deploying the Client Certificate

This step has three procedures:

  • Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority
  • Configuring Autoenrollment of the Workstation Authentication Template Using Group Policy
  • Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

To create and issue the Workstation Authentication certificate template on the certification authority
  1. On the domain controller, while still running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    Important
    Do not select Windows 2008 Server, Enterprise Edition.

  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.

  5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll.

  6. Click OK and close Certificate Templates Console.

  7. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  8. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Client Certificate, and then click OK.

  9. Close the Certification Authority console.

Configuring Autoenrollment of the Workstation Authentication Template Using Group Policy

To configure autoenrollment of the workstation authentication template using Group Policy
  1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.

  2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.

    Note
    This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point.

  3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.

  4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

  5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.

  6. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

  7. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.

  8. Close Group Policy Management.

Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

To automatically enroll the workstation authentication certificate and verify its installation on the client computer
  1. Restart the workstation computer, and wait a few minutes before logging on.

    Note
    Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment.

  2. Log on with an account that has administrative privileges.

  3. In the search box, type mmc.exe., and then press Enter.

  4. In the empty management console, click File, and then click Add/Remove Snap-in.

  5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  6. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.

  8. In the Add or Remove Snap-ins dialog box, click OK.

  9. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates.

  10. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.

  11. Close Certificates (Local Computer).

  12. Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate.

The workstation and member server are now provisioned with a Configuration Manager 2007 client certificate.


Thanks,

Samuel Goldwyn  - "I don't think anyone should write their autobiography until after they're dead."

OSD Part1 done by me for PKI End >>>>Will post the next Part



This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures that guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Configuration Manager 2007 requires to operate in native mode. Native mode offers the highest level of security for a Configuration Manager 2007 site, and it is a requirement for Internet-based client management. For more information about native mode in Configuration Manager, see Benefits of Using Native Mode.

The procedures in this example refer to a Microsoft PKI solution, using an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept.

Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment. For more information about the possible deployment methods, see Deploying the PKI Certificates Required for Native Mode.

Note
The use of a Microsoft PKI solution is recommended to support Configuration Manager 2007, but it is not required. Configuration Manager 2007 uses standard PKI certificates, supporting version 3 of the x.509 certificate format. If your existing PKI deployment can create, deploy, and manage the certificates that Configuration Manager 2007 requires for native mode, you can use your existing PKI infrastructure. Consult your PKI documentation for deployment details.

In This Section

This example contains the following sections, which cover creating and deploying the basic certificates that are required for a Configuration Manager 2007 site to operate in native mode for intranet connectivity:

Test Network Requirements

Overview

Deploying the Site Server Signing Certificate

Deploying the Web Server Certificate

Deploying the Client Certificate

Test Network Requirements

The example has the following requirements:

  • The test network is running Active Directory Domain Services with Windows Server 2008, and it is installed as a single domain, single forest.
  • You have a domain controller running Windows Server 2008 Enterprise Edition, which has installed on it the Active Directory Certificate Services role, and it is configured as an enterprise root certification authority (CA).
  • You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition) installed on it and that is designated as a member server, and you have Internet Information Services (IIS) installed on it.
  • You have one Windows Vista client with the latest service pack installed, and this computer is configured with a computer name that comprises ASCII characters and is joined to the domain.
  • You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.

Overview

PKI certificates must be installed prior to configuring Configuration Manager 2007 to operate in native mode. This example does not include installing and configuring Configuration Manager 2007, but it provides the steps to provision computers with the certificates they require to operate in Configuration Manager 2007 native mode.

The following table lists the three types of PKI certificates that are required and describes how they are used in a native mode Configuration Manager 2007 site:

Certificate Requirement Certificate Description

Site server signing certificate

This certificate is installed on the server that will be the Configuration Manager 2007 site server. It is used to sign client policies.

Web server certificate

This certificate is installed on servers that will be Configuration Manager 2007 site systems, with roles such as the management point and distribution point. It is used to encrypt data and authenticate the server to clients.

Client certificate

This certificate is installed on computers that will be Configuration Manager 2007 clients, and it is installed on the management point. It is used to authenticate the client to site systems; on the management point it is used to monitor the server's operational status.

For more information about the certificates, see Certificate Requirements for Native Mode.

Follow the steps in this example to achieve the following goals:

  • Provision the member server with a Configuration Manager 2007 site server signing certificate so that it can operate as a Configuration Manager 2007 site server in native mode.
  • Provision the member server with a Web server certificate so that it can operate as a Configuration Manager 2007 site system server in native mode that can run any of these Configuration Manager site system roles: management point, distribution point, software update point, and state migration point.
  • Provision a workstation and the member server with a client certificate so that the workstation can operate as a Configuration Manager 2007 native mode client, and so that the management point can report its status to the site server.

Deploying the Site Server Signing Certificate

This step has four procedures:

  • Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority
  • Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server
  • Approving the Site Server Signing Certificate on the Certification Authority
  • Installing the Site Server Signing Certificate on the Server That Will Run the Configuration Manager 2007 Site Server

Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority

To create and issue the site server signing certificate template
  1. On the domain controller running the Windows Server 2008 console, click Start, click Programs, click Administrative Tools, and then click Certification Authority.

  2. Expand the name of your certification authority (CA), and then click Certificate Templates.

  3. Right-click Certificate Templates, and then click Manage to load the Certificates Templates Console.

  4. In the results pane, right-click the entry that displays Computer in the Template Display Name column, and then click Duplicate Template.

  5. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    Important
    Do not select Windows 2008 Server, Enterprise Edition.

  6. In the Properties of New Template dialog box, on the General tab, enter a template name for the site server signing certificate template, such as ConfigMgr Site Server Signing Certificate.

  7. Click the Issuance Requirements tab, and then select CA certificate manager approval.

  8. Click the Subject Name tab, and then click Supply in the request.

  9. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

  10. In the Edit Application Policies Extension dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Remove.

  11. In the Edit Application Policies Extension dialog box, click Add.

  12. In the Add Application Policy dialog box, select Document Signing as the only application policy, and then click OK.

  13. In the Properties of New Template dialog box, you should now see listed as the description of Application policies: Document Signing.

  14. Click OK, click OK to close the Properties of New Template, and then close the Certificate Templates Console.

  15. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  16. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Site Server Signing Certificate, and then click OK.

    Note
    If you cannot complete steps 15 or 16, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure certificate templates with Windows Server Standard Edition and Active Directory Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008.

  17. Do not close the Certification Authority console.

Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server

To request the site server signing certificate
  1. On the member server, create a folder to contain your certificate files.

  2. Open Notepad, or a similar text file of your choice. Copy and paste the following text into the file:

     
    [NewRequest] Subject = "CN=The site code of this site server is <site-code>" MachineKeySet = True [RequestAttributes] CertificateTemplate = ConfigMgrSiteServerSigningCertificate 
  3. Replace the text <site-code> with your own site code. For example, if your site code is A01, the line will become: Subject = "CN=The site code of this site server is A01".

    Important
    Both the site code and the name of the template are case sensitive. Make sure that you specify the site code exactly as it appears in the Configuration Manager console, and that you specify the site server signing certificate template exactly as it appears as the Template name (not the Template display name) in the certificate template properties.

  4. Save the file with the name sitesigning.inf, and save it in the certificates folder that you created.

  5. Open a command window in the certificates folder that you created, type the following command, and then press Enter:

    certreq –new sitesigning.inf sitesigning.req

  6. Type the following command, and then press Enter:

    certreq –submit sitesigning.req sitesigning.cer

  7. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK. When the certificate is issued, you see RequestId: <number> displayed, where <number> is the next sequential certificate request to the issuing CA. Make a note of this number.

  8. Do not close the command prompt.

Approving the Site Server Signing Certificate on the Certification Authority

To approve the site server signing certificate
  1. On the domain controller, in Certification Authority, click Pending Requests.

  2. In the results pane, you will see the requested certificate with the Request ID that was displayed with the last Certreq command.

  3. Right-click the requested certificate, click All Tasks, and then click Issue.

  4. Do not close the Certification Authority console.

Installing the Site Server Signing Certificate on the Server That Will Run the Configuration Manager 2007 Site Server

To retrieve and install the site server signing certificate
  1. On the member server, in the command window, type the following command, and then press Enter:

    certreq –retrieve <number> sitesigning.cer

    For example, if the request number previously displayed was 12, type: certreq –retrieve 12 sitesigning.cer

  2. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK.

  3. Type the following command, and then press Enter:

    certreq –accept sitesigning.cer

The member server is now provisioned with a Configuration Manager 2007 site server signing certificate.

Deploying the Web Server Certificate

This step has four procedures:

  • Creating a Windows Security Group for the Site System Servers
  • Creating and Issuing the Web Server Certificate Template on the Certification Authority
  • Requesting the Web Server Certificate
  • Configuring IIS to Use the Web Server Certificate

Creating a Windows Security Group for the Site System Servers (Management Point, Distribution Point, Software Update Point, State Migration Point)

To create a Windows security group for the site system server
  1. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. Right-click the domain, click New, and then click Group.

  3. In the New Object – Group dialog box, enter ConfigMgr IIS Servers as the Group name, and then click OK.

  4. In Directory Users and Computers, right-click the group you have just created, and then click Properties.

  5. Click the Members tab, and then click Add to select the member server.

    Note
    In our test environment, there is only one server to add. However, in a production environment, it is likely that various servers will host the Configuration Manager 2007 site systems that require certificates, such as the site's management point and distribution points. It is therefore good practice to assign permissions to a group and add the site systems that require the same type of certificate. Creating a security group for these servers enables you to assign permissions so that only these servers can use these certificates.

  6. Click OK, and then click OK again to close the group properties dialog box.

  7. Restart your member server (if running) so that it can pick up the new group membership.

Creating and Issuing the Web Server Certificate Template on the Certification Authority

To create and issue the Web server certificate template on the certification authority
  1. On the domain controller, while still running the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

  2. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    Important
    Do not select Windows 2008 Server, Enterprise Edition.

  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

  5. Click the Subject Name tab, click Build from this Active Directory information is selected, and then select one of the following for the Subject name format:

    • Common name: Select this option if you will use fully qualified domain names for site systems in Configuration Manager (required for Internet-based client management, and recommended for clients on the intranet).
    • Fully distinguished name: Select this option if you will not use fully qualified domain names in Configuration Manager.
  6. Clear the option User principal name (UPN).

  7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

  9. Select the Enroll permission for this group, and do not clear the Read permission.

  10. Click OK, and close the Certificate Templates Console.

  11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  12. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Web Server Certificate, and then click OK.

  13. Do not close the Certification Authority console.

Requesting the Web Server Certificate

To request the Web server certificate
  1. Restart the member server to ensure it can access the certificate template with the configured permission.

  2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. In the Add or Remove Snap-ins dialog box, click OK.

  7. In the console, expand Certificates (Local Computer), and then click Personal.

  8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  9. On the Before You Begin page, click Next.

  10. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

  11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

  12. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate

To configure IIS to use the Web server certificate
  1. On the member server, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

  3. Click the https entry, and then click Edit.

  4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.

    Note
    If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box.

  5. Click OK in the Edit Site Binding dialog box, and then click Close.

  6. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager 2007 Web server certificate.

Deploying the Client Certificate

This step has three procedures:

  • Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority
  • Configuring Autoenrollment of the Workstation Authentication Template Using Group Policy
  • Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

To create and issue the Workstation Authentication certificate template on the certification authority
  1. On the domain controller, while still running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    Important
    Do not select Windows 2008 Server, Enterprise Edition.

  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.

  5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll.

  6. Click OK and close Certificate Templates Console.

  7. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  8. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Client Certificate, and then click OK.

  9. Close the Certification Authority console.

Configuring Autoenrollment of the Workstation Authentication Template Using Group Policy

To configure autoenrollment of the workstation authentication template using Group Policy
  1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.

  2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.

    Note
    This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point.

  3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.

  4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

  5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.

  6. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

  7. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.

  8. Close Group Policy Management.

Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

To automatically enroll the workstation authentication certificate and verify its installation on the client computer
  1. Restart the workstation computer, and wait a few minutes before logging on.

    Note
    Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment.

  2. Log on with an account that has administrative privileges.

  3. In the search box, type mmc.exe., and then press Enter.

  4. In the empty management console, click File, and then click Add/Remove Snap-in.

  5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  6. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.

  8. In the Add or Remove Snap-ins dialog box, click OK.

  9. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates.

  10. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.

  11. Close Certificates (Local Computer).

  12. Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate.

The workstation and member server are now provisioned with a Configuration Manager 2007 client certificate.


Thanks,

Samuel Goldwyn  - "I don't think anyone should write their autobiography until after they're dead."

Native Mode Steps- Reference

First, make sure you really want to do this.

Choose between Native Mode and Mixed Mode
http://technet.microsoft.com/en-us/library/bb632431.aspx

Second, review the (quite detailed) checklist

Administrator Checklist: Migrating a Site to Native Mode
http://technet.microsoft.com/en-us/library/bb632727.aspx


For most installations, you will have to do the following

1. Create a custom web site

Configure Custom Web Sites for Configuration Manager Sites
http://technet.microsoft.com/en-us/library/bb693482.aspx

Configure a Configuration Manager Site to Use a Custom Web Site
http://technet.microsoft.com/en-us/library/bb693662.aspx

2. Create the necessary PKI Infrastructure

SCCM 2007 PKI with Windows Server 2003 CA
http://technet.microsoft.com/en-us/library/bb694035.aspx

SCCM 2007 PKI with Windows Server 2008 CA
http://technet.microsoft.com/en-us/library/cc872789.aspx

3. Configure a Fallback Status Point (less secure, but really useful)

Create a Fallback Status Point in Configuration Manager
http://technet.microsoft.com/en-us/library/bb680830.aspx

4. Switch to native mode

Configure the Site Server with its Site Server Signing Certificate
http://technet.microsoft.com/en-us/library/bb680769.aspx

Specify the Root Certification Authority Certificates for Operating System Deployment Clients
http://technet.microsoft.com/en-us/library/bb632596.aspx

Migrate the Site Mode from Mixed Mode to Native Mode
http://technet.microsoft.com/en-us/library/bb633152.aspx


-------------------
Thanks,

Joan Crawford  - "I, Joan Crawford, I believe in the dollar. Everything I earn, I spend."

Native Mode Steps- Reference

First, make sure you really want to do this.

Choose between Native Mode and Mixed Mode
http://technet.microsoft.com/en-us/library/bb632431.aspx

Second, review the (quite detailed) checklist

Administrator Checklist: Migrating a Site to Native Mode
http://technet.microsoft.com/en-us/library/bb632727.aspx


For most installations, you will have to do the following

1. Create a custom web site

Configure Custom Web Sites for Configuration Manager Sites
http://technet.microsoft.com/en-us/library/bb693482.aspx

Configure a Configuration Manager Site to Use a Custom Web Site
http://technet.microsoft.com/en-us/library/bb693662.aspx

2. Create the necessary PKI Infrastructure

SCCM 2007 PKI with Windows Server 2003 CA
http://technet.microsoft.com/en-us/library/bb694035.aspx

SCCM 2007 PKI with Windows Server 2008 CA
http://technet.microsoft.com/en-us/library/cc872789.aspx

3. Configure a Fallback Status Point (less secure, but really useful)

Create a Fallback Status Point in Configuration Manager
http://technet.microsoft.com/en-us/library/bb680830.aspx

4. Switch to native mode

Configure the Site Server with its Site Server Signing Certificate
http://technet.microsoft.com/en-us/library/bb680769.aspx

Specify the Root Certification Authority Certificates for Operating System Deployment Clients
http://technet.microsoft.com/en-us/library/bb632596.aspx

Migrate the Site Mode from Mixed Mode to Native Mode
http://technet.microsoft.com/en-us/library/bb633152.aspx


-------------------
Thanks,

Joan Crawford  - "I, Joan Crawford, I believe in the dollar. Everything I earn, I spend."

SCCM V4 Document

http://msaadexpert.googlepages.com/SCCM_NativeMode.pdf
 

-------------------
Thanks,

Jonathan Swift  - "May you live every day of your life."

SCCM V4 Document

http://msaadexpert.googlepages.com/SCCM_NativeMode.pdf
 

-------------------
Thanks,

Jonathan Swift  - "May you live every day of your life."

MP Error "Failed to get WebDAV settings on the machine (0x80070003)" in Windows 2008

 
 
 
<01-05-2010 08:48:45>         ======== Completed Installion of Pre Reqs for Role SMSMP ========
<01-05-2010 08:48:45> Installing the SMSMP
<01-05-2010 08:48:45> Passed OS version check.
<01-05-2010 08:48:45> IIS Service is installed.
<01-05-2010 08:48:45> checking WebDAV configuraitons
<01-05-2010 08:48:45> Failed to get WebDAV settings on the machine (0x80070003)
<01-05-2010 08:48:53> ====================================================================
 
Resolution

To install and configure WebDAV for IIS 7.0 to support management point and BITS-enabled distribution point site system computers

  1. Depending on your server operating system platform, download either the x86 or x64 version of WebDAV from: http://go.microsoft.com/fwlink/?LinkId=108052.

  2. Depending on which version was downloaded, run either the webdav_x86_rtw.msi or the webdav_x64_rtw.msi file to install WebDAV IIS 7.0 extensions.

  3. Enable WebDAV and create an Authoring Rule, as follows:

    1. Navigate to Start / All Programs / Administrative Tools / Internet Information Services (IIS) Manager to start Internet Information Services 7 Application Server Manager. In Server Manager, select the Features node, and click Add Features to start the Add Features Wizard.
    2. In the Connections pane, expand the Sites node in the navigation tree, and then click Default Web Site if you are using the default Web site for the site system or SMSWEB if you are using a custom Web site for the site system.
    3. In the Features View, double-click WebDAV Authoring Rules.
    4. When the WebDAV Authoring Rules page is displayed, in the Actions pane, click Enable WebDAV.
    5. After WebDAV has been enabled, in the Actions pane, click Add Authoring Rule.
    6. In the Add Authoring Rule dialog box, under Allow access to, click All content.
    7. Under Allow access to this content to, click All users.
    8. Under Permissions, click Read, and then click OK.
  4. Change the property behavior as follows:

    1. In the WebDAV Authoring Rules page, in the Actions pane, click WebDAV Settings.
    2. In the WebDAV Settings page, under Property Behavior, set Allow anonymous property queries to True.
    3. Set Allow Custom Properties to False.
    4. Set Allow property queries with infinite depth to True.
    5. If this is a BITS-enabled distribution point, under WebDAV Behavior, set Allow hidden files to be listed to True.
    6. In the Action pane, click Apply.
  5. Close Internet Information Services (IIS) Manager.

To add Remote Differential Compression for site server and branch distribution point computers

In Server Manager, on the Features node, click Add Features to start the Add Features Wizard.

  1. On the Select Features page, select Remote Differential Compression, and then click Next.

  2. Complete the rest of the wizard.

  3. Close Server Manager.

 
=====================================================================================
 
Issue 2:
 
 
<01-10-2010 05:20:29> Installing the SMSMP
<01-10-2010 05:20:29> Passed OS version check.
<01-10-2010 05:20:29> IIS Service is installed.
<01-10-2010 05:20:29> checking WebDAV configuraitons
<01-10-2010 05:20:30>  WebDAV settings is not setup appropriately
<01-10-2010 05:20:30>  [Allow property queries with infinite depth] should be true (false)
<01-10-2010 05:20:30>  [Allow Custom Properties] should be false (true)
<01-10-2010 05:20:30>  [Allow anonymous property queries] should be true (false)
<01-10-2010 05:20:30>  Allow [All users read access to All content] authoring rule should exist (exist)
 
I fixed the problem. The settings were setup OK but for some reason they were not been recognized by the WebDAV component. What I did was open and edit the C:\Windows\System32\inetsrv\config\schema\WEBDAV_schema.xml file. The following parameters were changed:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
<element name="properties">
      <attribute name="allowAnonymousPropfind" type="bool" defaultValue="true" />
      <attribute name="allowInfinitePropfindDepth" type="bool" defaultValue="true" />
      <attribute name="allowCustomProperties" type="bool" defaultValue="false" />
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

After that, I restarted the service SMS_SITE_COMPONENT_MANAGER and the log shows: "SMS Site Component Manager successfully installed this component on this site system.". I will wait to see if all components change to OK status.
-------------------
Thanks,

Mike Ditka  - "If God had wanted man to play soccer, he wouldn't have given us arms."