Environment Setup



EMS TTT Online Pre-RequisitesContents TOC \o "1-3" \h \z \u Environment Setup PAGEREF _Toc445368715 \h 31.Obtain a public domain name PAGEREF _Toc445368716 \h 32.Create your Azure Environment PAGEREF _Toc445368717 \h 43.Configure your new Azure Environment PAGEREF _Toc445368718 \h 64.Configure the Office 365 Tenant PAGEREF _Toc445368719 \h 65.Create your “On-Premises” Environment PAGEREF _Toc445368720 \h 9Create a Cloud Service PAGEREF _Toc445368721 \h 9Create a Storage Account PAGEREF _Toc445368722 \h 10Hydrate the "On-Premise" Environment PAGEREF _Toc445368723 \h 11Check the Environment PAGEREF _Toc445368724 \h 12Request SSL Certificates PAGEREF _Toc445368725 \h 14Add the IIS Role to your Member Server PAGEREF _Toc445368726 \h 14Environment SetupFor this course, you will need a suitable environment. You will be using an environment provided by Microsoft Office Division Demos. You will provision your personal, free, 90-day Office 365 + EMS tenant.Follow these steps below to create the environment:Obtain a public domain name You will need a public domain name which can be assigned as the user principal name (UPN) suffix for users in your "On-Premises" AD DS forest and can also be registered with Windows Azure AD. You may also use a domain name which you already own so long as it hasn’t yet been registered with any Office 365 or Windows Azure AD tenant. To be sure, it probably makes sense to come up with a brand new one. There are many different online services to register your own domain name. Well known ones are , GoDaddy and namecheap – these instructions assume you are using , but the process for another provider will be similar. IMPORTANT: If you register a new domain, you do not need any additions, like mailboxes or mailforwards. The cost of a registered name for a year can be under $10. In this guide we will refer to your public domain name as <YourDomain>.<xxx> or <YourDomain> (in the first case you include the .com, .xyz or whatever, in the latter case you don’t). Examples are and OCGLearningEMSDemo.Task Detailed StepsComplete these steps from an internet-connected Windows computer. Register a new public domain name at . (process for will be similar)Open Internet Explorer and browse to the search field, enter the domain name that you would like to use for this course (e.g. OCGLearningEMSDemo) and click the Search button – you will be offered various possibilities, and you need to find a name that no one else has used (preferably choose one like .xxx and not like .co.xx, as it makes things easier later on)When you identify an available domain name which you would like to purchase, click the associated + button to add it to your cart.Click Proceed to Cart and then SECURE CHECKOUTYou will be prompted to create a new account with Hover or sign in with an existing account; if you already have a Hover account, you may sign in and use that account to complete your purchase, if not you must supply the requested information and click CREATE ACCOUNT (making sure that take note of your username and password, as this information will be required later)If you are creating a new account, you will be asked to supply additional information for ICANN for their WHOIS database – supply the requested information and click CONTINUEWhen you reach the Billing Information page, pay for the purchase using the method of your choosing – you are responsible for paying for your domain name, whether that means paying out-of-pocket or arranging for reimbursement by your employerOn the confirmation page, select the checkbox I have read and agree to the Terms of Service and click PURCHASE NOWAssuming that went through, click CONTINUEYou may be taken through an email verification process, which you should of course completeEventually you should be taken to the Domain Details page on Hover’s websiteManage your domain propertiesLogged into , if necessary, click YOUR ACCOUNT and then DOMAINSFor your new domain, switch off Whois Privacy (this will make handling certificates easier, later on)Switch off Auto Renew (just to be sure that you don’t unintentionally pay for another year)Note: For other providers, you should take similar steps.Create your Azure EnvironmentNote: Please be aware that while these steps will not take much of your time, there can be considerable “waiting time”. Because it can fail on occasion, (needing you to restart the steps from beginning) you must ensure that you have a day or so for this.Important: You are going to need a Microsoft Account – that is a Hotmail, outlook or Live account (aka “MSA” account) and NOT a corporate account. The chances are that you have one already, but the best and easiest way to work through this course is by starting with a brand new Microsoft Account – or at least one that has not yet been used for any Azure subscription (including any trial subscription). The existence of existing subscriptions and/or the different on-screen options and different security challenges, mean that there are many different paths, and these instructions would end up being peppered with ifs and buts and side explanations (even assuming that the authors could exhaustively try out each scenario). So we recommend that you create a new MSA account (or at least use a “clean” one). If that is not the case, you should be able to go to , signing in with your MSA account, or with an MSDN ID, and adding a subscription. You will just have to keep your wits about you! An extra section is provided below just for Microsoft FTEs.Task Detailed StepsMicrosoft FTEs only!If you are a Microsoft FTE and do not wish to simply use a clean MSA account, use these summary stepsSign up for an IUR account, if you do not have oneGo to the Add Subscription page, in the AIRS siteClick Add SubscriptionOn the next page, type in your Microsoft email address under Service Administrator, then Purchase – and complete the purchasePick up at “Edit the subscription properties” (below)Sign-up for Azure If you need a new MSA account (because you haven’t got one, or you have decided not to use an existing one that has already used for other subscriptions), then create one now (for example go to , log out if necessary, and click Sign up nowNote: You must provide credit card details but will not be charged for the demo environments as they all use free trial SKUs (unless you decide to extend your demo environment beyond the 90-day trial period). If the credit card has previously been used for a free trial, it may not work – use another one if you can.Log in to the Azure Account Management page, at using your MSA accountAssuming (as discussed) that you do not have any existing subscriptions the Sign up for a Free Trial (or you can + add subscription and select Pay-As-You-Go offer)Run through the verification and payment process, and complete the “purchase” (the free trial will last long enough for this course, so you will only actually pay anything if you keep it going).Edit the subscription propertiesIf necessary, go to the Azure Account Management page (at ), select your new subscription On the subscription summary page, click Edit subscription detailsChange the Subscription Name to something meaningful (for example you could use your domain name) – strictly speaking this step is only needed where you have multiple subscriptions because it is awkward having lots of them called PAY AS YOU GO, but it is a good habit to get into anyway)Under Account Administrator, ensure that it set to a Microsoft account (MSA account) that you own – this will be the case where you have used an MSA account to create the subscription – but if you are a Microsoft FTE you MUST replace the corporate account you see here with an MSA account (creating one if necessary)Copy the SUBSCRIPTION ID for use laterObtain a demo environmentGo to the Microsoft Demo Portal site, at Microsoft Partner or Microsoft User, as appropriate:Microsoft Partner: login with your Service administrator account e.g. MyDemo@Or Microsoft User: A Microsoft FTE so login with your Microsoft corporate accountOn the left hand side, click Tenants, In Tenant Slot 1 (or the first available Tenant Slot) click + CreateClick QuickTenantSelect Standard Office 365 Demo ContentSelect Enterprise Mobility Suite (EMS) under Add Ons and enter:Azure MSA Subscription ID: copy/paste the Azure subscription ID (that you copied, earlier) Azure MSA Username/Password: provide the credentials of your subscription’s Service Administrator which is, of course, your MSA account!Click Validate (it can take up to 2 minutes to validate)Once your info has been validated, click Next and FinishAfter the tenant has been created make a note of the tenant name <YourTenant>. for example MOD485467. as you will need to login as this domain’s administrator in the next stepOn the left hand side, click Demos, then click + Create New DemoType a unique name for your demo – again, it makes sense to use your domain nameUnder Select a tenant, select the demo tenant you just createdNote: At this stage you must select a demo module. Rationally, we will choose the EMS: Identity & Access management module.Select Filter Demos, select EMS, click Apply Filters and Add the EMS: Identity & Access management moduleClick Create Demo Note: The demo (amongst other things) creates an Azure AD directory called Contoso MOD <YourTenant> (in addition to a default one that comes with the subscription). It also provisions users into that directory, and assigns licenses to most of them. This take a while (more than a few minutes, but note usually many hours), and you will know when it is finished, because you will get an email when it has completed (to the account you used to create the subscription). It does no harm to log on before that, and you may see a “No subscriptions found” message, or simply that not all users have been created, or have been assigned licences (for example). Note: The above is taken from the Create your Demo Environment section of the Identity and Access Management Demo guide. If you have any trouble with the above steps, please check directly in that guide in case there are updates.Configure your new Azure EnvironmentTask Detailed StepsCheck users and review EMS License Assignment:After you receive the above-mentioned email, open a new browser session in InPrivate mode and go to the Azure admin portal as the (default) Global Admin, which is admin@<YourTenant>. (e.g admin@MOD485467.), using the default password pass@word1Check that you can see a directory called Contoso <YourTenant> (like MOD805536)Click Contoso <YourTenant> and then USERS – you should have about 100 users over two pagesSelect LICENSESVerify that Enterprise Mobility Suite exists in the list, and has 100 active units that will expire in approximately 3 monthsClick ASSIGN (button at bottom of the page) and you will see the list of users that the demo created for youReview the ASSIGNMENT STATUS column - most of the users should be EnabledClick Search (icon to the right of ASSIGNMENT STATUS column) then type adminEnsure the admin user is Enabled - if not, add to ASSIGN then click Complete (checkmark icon)Repeat these steps for user GarthFConfigure the Office 365 Tenant Task Detailed StepsAdd your public Domain to O365 (so that you can receive emails for you domain accounts, for example)Go to the Office 365 Admin portal at (still as the Global Admin, admin@<YourTenant>.)Note: The UI is being developed all the time, and you will see small differences everywhere. However at this point you may be guided towards an entirely new Admin Center (and so these instructions simply won’t work). You should find a link in the upper right corner of the “Home” page that allows you to switch back to the old admin center.Click the Admin icon to go to the Office 365 admin center, and click DOMAINSNote: At some point you may be asked to verify your account and/or set up authentication methods. You should complete this.You should see your MODnnnn domain, but we will add your public one – so click Add Domain, then Let's get startedEnter your public domain name (the one you probably registered with hover using the instructions at the start of this document) for example, and then click NextA page opens with instructions on how to add a TXT Record to your DNSCopy the value from the TXT value fieldNote: The following steps assume that you used Hover to host your DNS – use similar steps for other providers.In another tab or window in Internet Explorer if necessary, logon to and click YOUR ACCOUNT and DOMAINSClick DNS and click ADD NEWEnter the hostname as @, the Record Type as TXT, and paste the value you just copiedClick SAVEBack in the office portal, click OK I’ve added the records Once that is verified, click Next and scroll to the bottom of the page and click skip this stepClick skip this step (add new users)Click Next select No, I have an existing website or prefer to manage my own DNS records and click NextClick Next (which services)Copy the Points to address or value for the MX record (like ocglearningemsdemo-com.mail.protection.)Back in the Hover portal, on the DNS page, click ADD NEWEnter the hostname as @, the Record Type as MX, the priority as 0, and paste the Value you just copiedClick SAVE From the office portal page copy the Points to address or value for the CNAME autodiscover record (like autodiscover.)Switch back to Hover and click ADD NEWEnter the hostname as autodiscover the Record Type as CNAME, the and paste the Target Host you just copiedClick SAVEFrom the office portal page copy the Points to address or value for the TXT @ record (like v=spf1 include:spf.protection. -all)Switch back to hover and click ADD NEWEnter the hostname as @ the Record Type as TXT, the and paste the value you just copiedClick SAVERemove any default records that conflict with your new records (e.g. the default MX record)Back in the office portal, click OK I’ve added the records Note: O365 will complain, but we will not need all these records which cover such things as autodiscover for Outlook, and Lync communication – neither of which we are using in these labs. Click ignore these errors and FinishIf ether are any further steps to complete in the wizard, complete themManage EMS and Office 365 licensesStill in the Office 365 admin center, expand BILLING and then LicensesNote: The demo environment comes with a pool of 100 EMS licenses, and the pool of 25 Office 365 (E5) licenses. You should be able to see that the provisioning process has assigned nearly all licences. We will need a pool of available licenses later on, and we do not need that all those currently licensed are licensed – so we will unassign some. Also our admin account needs a license. EMS licenses can be managed in the Azure portal (you will see this later), or the O365 portal; Office 365 licenses can only be manage in the O365 portal – so that is the one we will use (and we are here anyway!) Still in the Office 365 admin center, expand USERS and click Active UsersNote: You are seeing “All users”. You could select a different view – for example, “unlicensed users”. However, “licensed users” (which would be helpful just now) is not one of them! However, most of our users are licensed as it happens.Scroll down and move to the next page, and after checking carefully that you are looking at users whose names start with B, C or D (we want to preserve the As) – select all these usersClick edit and in the Bulk edit users wizard, click Next until you get to the Licences pageOn the Licenses page, select Replace existing license assignments and ensure that no licenses are selectedClick Submit Click FinishGo back to BILLING and Licenses and check that you now have about 20 EMS licences available, and some E5s tooMake a new (backup) Global AdministratorNote: It is good practice to have a back-up admin. Anyway this is a useful additional exercise.Back in USERS and Active Users, click New (the + sign) to add a new userFirst Name AdminDisplay Name AdminUser Name Admin@<YourDomain>.<xxx>Type in password and de-select the “make this person…” checkboxEnsure that you add Office 365 Enterprise E5 and EMS licenses and then click CreateSelect Admin in the Display Name columnIn the right panel, click EDIT USER ROLESSelect Global AdministratorAdd a valid alternate email address (an email address that you can access)Click SaveClick CloseNote: This could have been done equally well in the Azure Management Portal. If you were to log on with this new admin account now, you would get a message saying that it is not associated with a subscription. In order that it can really be used to administer, we will make it a subscription co-administrator. Close all IE sessionsOpen a browser and sign in at using your Microsoft Account – this is the account you used when you signed up for the azure trial – you might have used your@ or @ accountSelect Default Directory and then click USERSClick ADD USER and select the type of user User in another Windows Azure AD DirectoryEnter the user name as the admin account you just created (admin@<YourDomain.xxx>) with role Global AdminNote: The reason we do this is because a co-administrator of the subscription must come from the default directory. As mentioned above, we could simply have done everything in the default directory, but it is instructional to show how to use another directory (for example you could delegate control of a directory to someone, without granting them access to the default directory).Click the TickClick the Back button (big left arrow near the top left), and then scroll down the left navigation bar and select SETTINGS (this is last in the list at the time of writing)Note: The directory associated with the subscription is the default directory, but we want that to be our new directory. You need to make this change before adding co-administrators as this step overrides co-administrators.Select your subscription and click ADMINSTRATORSClick ADD and enter the email address of the admin admin@<YourDomain.xxx> and select your subscription, and confirm (tick)Close all IE sessionsCreate your “On-Premises” EnvironmentYou are going to be using “hydration” to create some servers to act as your on-premises environment. This is a PowerShell script and an XML configuration file, which will generate Virtual Machines in your Azure tenant. For this you will need a Cloud Service and a Storage Account.Create a Cloud Service The Cloud service is required to create a public IP address through which our VMs can be accessed over the internet.To ensure the “Public Virtual IP (VIP) Address” is maintained even after all the VMs are turned off and de-allocated (to prevent cost) a reserved IP address can be set for the Cloud Service. A public IP address is reserved automatically by Hydration.TaskDetailed StepsCreate an Azure Cloud ServiceGo to the Azure Management Portal () logging in as admin@<YourDomain>.xxx and select CLOUD SERVICES from the navigation bar on the leftNote: When you first login as this new admin you will go through the phone/email verification process.Select + NEW (bottom left)Select QUICK CREATEEnter the URL of your Cloud Service as <YourDomain>Note: In principle this can be any name you like that is not already claimed – but for ease of scripting and troubleshooting in this lab, you MUST use your domain name (which you have already established as being unique).Enter the Region or Affinity Group for your Cloud Service – you can choose any region, but whatever you choose you will have to make sure you stick with that region (see below).Complete the wizard (CREATE CLOUD SERVICE tick)Create a Storage Account The Storage Account will be used to store all your Virtual Machines including the VHDs.Want to know more about Storage Accounts?If you want to learn more about Storage Accounts go to What is a Storage Account? at TaskDetailed StepsCreate an Azure Storage AccountSelect STORAGE from the navigation bar on the leftSelect + NEW (bottom left)Select QUICK CREATEEnter the Name of your Storage URL as <YourDomain>Note: This can be any name you prefer as long as it is not already taken – but again, for ease of scripting and troubleshooting in this lab, you should try to use your domain name.Enter the Region or Affinity Group for your Storage Account – choose the same one as you close for your Cloud ServiceNote: In principle you can choose any region – the only rule is that this must be the same Region as your Cloud Service, and the same as the location specified in Hydration later on.Select Locally Redundant for REPLICATIONNote: The replication method used hardly matters for the purposes of our labs, but more generally you will want to choose between Locally-Redundant (three copies of your data within a primary region), Zone Redundant (more resilient in that the three copies are split between data centres in the same primary region), Geo-Redundant (yet more resilient in that there are three additional copies hundreds of miles away in a secondary region – so for North Europe that would be West Europe), and Read-Access Geo-Redundant (allowing read--only access in the secondary region). Click CREATE STORAGE ACCOUNT by clicking the “tick symbol” at the bottom right of the screenHydrate the "On-Premise" EnvironmentTo quickly stand up the foundation for the lab environment we are using “Hydration”. Hydration will install the following in Azure IaaS:DC1 – Server provisioned with the following roles installed:Active Directory Domain ServicesDNSWinServer – Server provisioned, and domain joined PROXYSERVER – Server provisioned, but not domain joined and the following role installed:IISBefore running Hydration you must have complete the above tasks so that you have:Your Cloud Service nameYour Storage Account name (remember that the location of your VMs will be the same as the Cloud Service and Storage)Your Azure subscription logon detailsYour Domain nameTask Detailed StepsDownload the lab provisioning PowerShell scriptIn a browser, navigate to the site: the link has changed to : : You will be required to logon with a Microsoft Account (@, @, @, etc.)Select the Download link for the file named Hydration10.zip (actually called Hydration10_1512 and approximately 119 MB at the time of writing – but the name may change again)Select Save to save the file in the downloads folder on your computerWhen the zip file has completed downloading, select open it and extract all the files to your local hard drive, preferably directly to the C:\ drive, resulting in a folder C:\Hydration10Install Azure PowerShellStart Internet Explorer and navigate to the Installing Azure PowerShell from WebPI heading, click the Azure Powershell link When prompted by Internet Explorer to run or save the executable, select Run, and then YesOn the Windows Azure PowerShell screen, select InstallWhen prompted, select I AcceptAfter installation completes, select Finish (a reboot may be required, even tho)Select ExitSet PowerShell execution policy to unrestrictedStart Microsoft Azure PowerShell as administrator (navigate to the start screen, type Microsoft Azure PowerShell, right-click Microsoft Azure PowerShell in the search results, click Run as administrator, and click Yes)Note: If you do not see a Microsoft Azure PowerShell app, just run PowerShell. Your $env:PSModulePath setting should include the directories containing the Azure PowerShell cmdlets anyway.Enter the following command: Set-ExecutionPolicy –Scope Process Unrestricted –Force’Fix-up’ the hydration environment to work correctly with our environment HYD_EMS_CloudOnly.xml EntMobTR20.xmlNavigate to the directory where you extracted the Hydration10 e.g. C:\Hydration10Copy the file EMSTraining.XML (provided with this training) into the Hydration10\LabDefinitions folderFrom the C:\Hydration10\LabDefinitions folder, edit the EMSTraining.XML file you just copied into hereFind the AzureLocation tag and ensure it exactly matches the one you used for your Cloud Storage earlier (like West US), and save itFind all YourDomain.xxx and replace with your domain name, like Find all YourDomain and replace with your domain name, like OCGLearningEMSDemoFind all P@ssw0rd and replace with pass@word1Close the editor, saving the XML fileIn your PowerShell session, switch to the Hydration10 folder, and enter the command .\SetupLab.ps1 –Mode Azure –LabConfigFile <the path and name of the xml file you just saved>When asked, authenticate using your admin@<YourDomain>.com (as it needs a global admin)Note: If multiple subscriptions, Storage Accounts, or Cloud Services are found, the process will prompt so that you can select the correct one – this should not apply to you, but if you are prompted you need to enter the number corresponding to the proper subscription, Storage Account, or Cloud Service in the input box at the bottom of the wizard and select Next to continue. If you are unsure, break out of the script and in PowerShell enter get-AzureSubscription - this returns your list of subscriptions with more details so that you can be certain you identity the correct one – the subscription list is presented in the same order in both the command and in the hydration script - so if it is number 5 here, it will be number 5 when you run the SetupLab command in step 9 above.IMPORTANT: If you encounter an error during script execution, try to rerun the script (by running .\SetupLab.ps1 –Mode Azure –LabConfigFile etc.) The script has been written so that it may be executed multiple times until all tasks complete successfully. If you receive the same error at the same step on multiple script executions, contact lab support.Check the EnvironmentNote: It may take a while to complete the hydration process (more than a few minutes, but usually less than a few hours). You will be able to see whether or not your script is still running, of course, but you can also go to VIRTUAL MACHINES in the Azure management portal – eventually you should have three new ones.Task Detailed StepsLog on to DC1 and modify the admin account detailsSelect VIRTUAL MACHINES from the navigation bar on the left (you will also find them easily through ALL ITEMS at the top of the navigation bar)Note: At this point, pay attention to the difference between clicking the DC1 “button” (for example) which takes you to a dashboard, and selecting the DC1 “row” (click to the right of the DC1 button). Select DC1 (the DC1 row) and click Connect (from the tool bar at the bottom)Log on as Corp\LabAdmin using the password pass@word1 (this was configured as part of the hydration)Note: The PowerShell script kicked off some further configuration. If that is still running, wait for it to finish.Click Start and Administrative Tools – then select Active Directory Users and ComputersUnder Users, find the LabAdmin account and double-click it to open its propertiesOn the Account tab, note that the domain\saMAccountname is CORP\LabAdmin, and change the User Logon name (the userPrincipalName) to LabAdmin@<YourDomain>.<xxx>Click OKCreate and populate the Allfiles folderStill on DC1, create a folder C:\AllFiles and extract the contents of AllFiles.zip (which should have been provided to you) directly into it – you should see this:Locate UsersEtc.ldf in C:\AllFiles and edit it using NotepadNote: This is an LDIF file which will shortly be imported into Active Directory, creating some OUs, users, groups and contacts. You may care to browse through it.From the Edit menu click Replace…Next to Find what, enter .xyzNext to Replace with, enter your top-level domain, for example .comClick Replace AllNext to Find what, type <YourDomain> (type all of this including the <>) Next to Replace with, enter the name of your domain (without the top-level domain) for example OCGLearningEMSDemoClick Replace AllNext to Find what, type <xxx> (type all of this including the <>)Next to Replace with, enter your top-level domain, for example comClick Replace AllSave the file and close itUsing Notepad, edit the file MakeUsersEtc.batNote: This is a batch file which will use LDIFDE.EXE to load the above LDIF file, and also set passwords and enable users.From the Edit menu click Replace…Next to Find what, type <YourDomain>Next to Replace with, enter the name of your domain (without the top-level domain), for example OCGLearningEMSDemoClick Replace All Next to Find what, type <xxx>Next to Replace with, enter your top-level domain, for example comClick Replace AllSave the file and close itOpen an elevated command prompt (run CMD as Administrator) clicking Yes on the User Account Control dialog (if any)Change to the AllFiles directory (cd \AllFiles)Enter the command MakeUsersEtc.bat Run Active Directory Users and Computers and verify that you now have a Corporate OU (not the CORP one which you can delete if you like), with sub OUs, groups, users and contactsNote: If you made a mistake, and this hasn’t worked, you can delete the entire structure from OU=Corporate down, fix the problem, and try again (run MakeUsersEtc.bat again).Configure the IE Enhanced Security policyLaunch Server Manager, click Local ServerNext to IE Enhanced Security Configuration click On, and switch it off for Administrators and Users (this makes navigating external websites a lot easier in future)Log on to the other two serversBack in Internet Explorer, if necessary select VIRTUAL MACHINES from the navigation bar on the leftSelect PROXYSERVER and click Connect Log on as LabAdmin (this one is not domain joined)Note: Again, the PowerShell script kicked off some further configuration, which should finish soon, if it has not already done so.Back in Internet Explorer select WinServer and click ConnectLog on as CORP\LabAdmin (you can use LabAdmin@<YourDomain>.<xxx> if you like)Note: And once more, the PowerShell script kicked off some further configuration, which should finish soon, if it has not already done so.Request SSL Certificates You will need some public certificates later in the course. We will do this now, so that time is not wasted later. You can obtain public certificates, from different certificate providers, such as SSLs, DigiCert and namecheap.There are two options:Obtain a public SSL Certificate for each Web Application service exposed to the internet – you will only need two SSL certificates for this courseObtain a single Wildcard Certificate you can use for all Web Application Services (for example “*.”)Purchasing one Wildcard certificate will be considerably more expensive, but will offer the flexibility to use the certificate for other Web Application services in the future. These notes assume that you will take the individual certificate option.Add the IIS Role to your Member Server We will need IIS later anyway, but we are adding the role now so that you can easily request SSL certificates.TaskDetailed StepsAdd the IIS role to the WinServer server, and switch off enhanced security for your admin accountIf necessary, logon to the WinServer server (with your LabAdmin account)Run Server Manager Select Manage and then Add Roles and FeaturesClick Next until you get to Server RolesSelect the role Web Server (IIS) and click Add FeaturesClick Next 3 timesOn the Select role services page, under the Web Server - Security select Windows AuthenticationComplete the wizardWhile you are in Server Manager, click Local ServerNext to IE Enhanced Security Configuration click On, and switch it off for Administrators and users (this makes navigating external websites a lot easier)Close Server ManagerCreate two certificate requestsRun IIS Manager (decline the offer to get started with Microsoft Web Platform)Select the WINSERVER server and double-click Server CertificatesClick Create certificate request and enter the Common Name as STS.<YourDomain>.xxx, filling in the form as follows (but using your own domain – this is just an example):OClick Next and set the Bit Length to 2048 (leave the provider as the default) and click Next Click the … and browse to a suitable location (perhaps creating a folder C:\Certs) Enter a filename (for example STS) and click OpenClick FinishIn IIS click Create Certificate Request (again)This time the Common name is AP.<YourDomain>.xxx, but otherwise as beforeClick Next and set the Bit Length to 2048 (leave the provider as the default) and click NextClick the … and browse to a suitable location (perhaps in the C:\Certs folder) Enter a filename (for example AP) and click OpenClick FinishOrder two SSL public certificates (this uses , but the process for others will be similar)Note: Take care with how you enter all this data – it is really easy to get it wrong! Also don’t mix up your STS and AP certs!Still in your WinServer VM, run Internet Explorer and browse to Choose a suitable SSL product by clicking the shopping basket for the product (the author chose PositiveSSL)Click the shopping basket (top right)Select Valid for 1 yr and click CheckoutEnter your email and other details and complete paymentClick ACTIVATEYou now have to provide your certificate signing request – open the STS.txt file you just saved in C:\Certs, and copy its entire contentsPaste into the CSR box and click Read my CSR Next you may be asked to confirm the server type, and obviously you select WINDOWSYou now go through a series of LOOKS GOOD, ONWARD and ONWARD until you get to Confirm that you own domainsSelect RECEIVE AN EMAIL and CAREFULLY! select admin@<YourDomain>.<xxx> (remember that we set up admin with email, and configured an MX record earlier on)Note: It is all too easy to have this email sent to the wrong address, and end up spending a lot of time trying to sort that out later.Click GOT IT, ONWARDEnter more details and click ONWARD – validation is now in progressClick CERTS and again choose a product, clicking its basketClick the basket (at the top) and change to valid for 1 yr and check out againClick ACTIVATEAgain provide your certificate signing request, but this time using the AP.txt certificate request you saved earlierPaste into the CSR box and click Read my CSR Again you may be asked to confirm the server type, and obviously you select WINDOWSAgain go through a series of LOOKS GOOD, ONWARD and ONWARD until you get to Confirm that you own domainsSelect RECEIVE AN EMAIL and select admin@<YourDomain>.<xxx>Click GOT IT, ONWARDEnter more details and click ONWARD – validation of this is also now in progressValidate your orders and complete the processIn another tab of Internet Explorer, navigate to , signing in as admin@<YourDomain>.<xxx>Note: You should use the password that you noted earlier and change the password to pass@word1.Click Mail, choose a language and time-zone and click SaveYou should have received two approval emails – complete the approval process in both casesSwitch back to the other tab and wait for activation to complete (it may take a while – you will have to refresh periodically to check)Once completed, you can select one of the certificates (be sure about which one) and download it (if it is in a zip, extract it once downloaded) In IIS, click Complete Certificate Request Browse to your certificate, enter a friendly name (like STS) and click OKIn Internet Explorer, click Purchased Certs under your login name and select the other certificate and download it (if it is in a zip, extract it once downloaded) In IIS, click Complete Certificate Request Browse to your certificate, enter a friendly name (like AP) and click OKYou are done – you can close everything! ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download