misc: how to set different certificate validity period for root and subordinate certificate authority (CA)

Here is the little issue that took me a good while to understand and figure out as I thought this is set during initial install through console or by .inf file as MS recommanded. Nope, didn’t work that way.

My setup consists of one standalone root CA with 30 year validity which will be turned off and stored in a safe place for many many years, and two subordinate enterprise CA in two sites which will perform all cert related tasks with 15 year certificate validity… simple enough. All three are 2012 R2 servers.

Adding the role and promoting servers is as easy as you expect. Trick is to get the right validity on subordinates. Regardless of what validity term is set on root CA, it will issue a 1 year certificate to subordinates by default. Trick is to use the following commands to change default registry values:

certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "15"

Make sure to restart cert server service right away. To check registry value for “years” use:

certutil -getreg ca\val*

If you get revocation server was offline error you can override it with this command:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Then reboot and ignore the error – service will start.

To roll back and enable revocation server check:

certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE

Windows: Robocopy all files, share permissions and NTFS security attributes to new servers

Robocopy is the tool of choice for copying files between Windows machines. Not only does it compare files and copy what’s changed, it can copy all NTFS security permissions along with the files and folders as well. This is particularly important in high security environments where share permissions are just not enough, and administrators rely on security permissions to lock down access down to files or folders within a partition. The command below is what I used to copy 15TB of ACL based data to a new server:

ROBOCOPY Q:\ X:\ /S /J /ZB /MIR /DCOPY:DAT /COPY:DATSOU /SECFIX /TIMFIX /MT:48 /R:3 /W:5 /XD: "SYSTEM VOLUME INFORMATION" RECYCLER $RECYCLE.BIN RECYCLED /LOG+:C:\ROBO181215.LOG

With the above command you copy everything you specify from source server/disk to destination with all security information, and every time the command is run it will double check the permissions and modifies as necessary. It will also exclude the folders specified after /xd switch.

It is important to note that when you copy files to a Windows 2012 server, you may not have explicit security permissions to source folders and when you click on destination folder you will be asked to click continue to get access. This will alter destination folders’ security permissions, and will force robocopy to fix them during next sync. This will prolong the sync operation significantly. Therefore, if you need to run this command a few times till it is time to cut over to new server, do not view what is in those folders and force permission change until you are done. Simply run the command as many times as needed till it is time to migrate. Once you are on the new server then feel free to alter those permissions and fix what needs to be fixed.

To migrate shares to new server, simply export registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares and import onto the new server and reboot. All your shares will be active on the new server immediately.

Windows: Cannot team Broadcom NetXtreme adapters. Please select an adapter with NDIS 6 driver error.

This is most likely caused by software firewall, such as Symantec EndPoint Protection or Vipre Enterprise. Disabling them usually won’t help either. You will have to uninstall the firewall and then attempt to team your adapters. If that didn’t work uninstall both firewall and BASP, install BASP, team and then reinstall your firewall.