anyweb

This series is comprised of different parts, listed below. Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA (this part) Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health In part 1 of this series, you configured your LAB for a 2 tier PKI hierarchy running on Windows Server 2016. You used PowerShell to create some virtual machines, and then installed Windows Server 2016, Windows 10 Enterprise version 1803 and optionally Smoothwall 3.1 before configuring the IP address scheme and Computer Names on the virtual machines. Finally you configured ADDS on DC01 so that you have a working Domain Controller for the rest of this LAB. In this part you'll install and do initial configuration on the Standalone Offline Root CA. What is a Standalone Offline Root CA ? If you've never dealt with PKI before you are probably wondering what a Standalone Offline Root CA is and why do you need it. I'll quote the following paragraph from the excellently written article about a Standalone Offline Root CA here. If you don't read the article itself, at least read the Quote below. To cut a long story short, you should use a Standalone Offline Root CA because it lowers the possibility of compromise and ensures reliability of your Certificate Authority infrastructure. Step 1. Create a CAPolicy.inf file Before installing the Standalone Offline Root CA, you should create a CAPolicy.inf to define 'default' settings for CA templates, some of these settings cannot be changed later and you want them in place before creating any certificates on the Standalone Offline Root CA. So now that you know that you should create the file as a first step, let's go and do that. On the #11_RootCA virtual machine (RootCA), login as Administrator using the password specified. Open an administrative command prompt and type the following: notepad C:\Windows\CAPolicy.inf and press ENTER, when prompted to create new file, click Yes. Paste in the following text into the new CAPolicy.inf file. [Version] Signature="$Windows NT$" [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 AlternateSignatureAlgorithm=0 Once done, save the file. Note: Any misspellings or mistakes will be ignored, so please copy/paste carefully. To understand what these values are, and why you are using them please see the following link, but in a nutshell, you are telling the CA that by default the Root CA should issue certificates that are valid for 20 years, feel free to adjust accordingly if you think it's appropriate but be aware of the consequences (having to re-issue certificates etc.). I'd recommend your verify that the file is indeed correctly named and in the C:\Windows folder. You don't want .TXT appended to it or it will be ignored. To verify, do the following: dir C:\Windows\Capolicy.* The file has the right name and is in the right location. Step 2. Install Active Directory Certificate Services Now that you've created the CAPolicy.inf file you are ready to install Active Directory Certificate Services on the Standalone Offline Root CA. To do so, open Server Manager and select Add Roles and Features. Click Next and select Role-based or feature-based installation. Click Next and Select Select a server from the server pool, ensure that ROOTCA is selected. Click Next and select Active Directory Certificate Services from the choices available on the Select server roles page, if prompted to Add features that are required for Active Directory Certificate Services, click Add features. And here you see the Active Directory Certificate Services role is selected. Click Next to continue. on the Select features screen, click Next. Click Next, On the Active Directory Certificate Services introduction page, read the Things to note before clicking on Next. Insure that Certificate Authority is selected on the Confirmation screen, click on Install. Wait for the installation progress to finish successfully before clicking on Close. Click Close to close the wizard. Step 3. Configure Active Directory Certificate Services After the installation succeeded in the previous step, click on Configure Active Directory Certificate Services on the destination server in Server Manager. On the Specify credentials to configure role services screen, ensure your credentials are ROOTCA\Administrator and then click Next. Select the Certificate Authority role to configure… by default it is not selected. Click Next and select Standalone CA Click Next and on the Specify the type of the CA select Root CA Click Next. On the Specify the type of private key select Create a new private key and click Next. On the Specify the cryptographic options screen pay attention to the settings before clicking Next. For example, ensure that sha-256 is selected as sha-1 is dead (3). The key length defaults to 2048 but only change to 4096 if you are sure it doesn't break communication with your Switches and legacy applications. On the Specify the name for this CA, change Common Name for this CA to suit your needs, for example enter the following windows noob Root CA but do not change the other values. For more info about the CA Name see here (4). Click Next. On the Specify the validity period page, select 20 years instead of the default of 5. Click Next. On the Specify the database locations click Next. On the Confirmation screen review the details and change if necessary or if you are satisfied, click Configure. and you should see Configuration Succeeded. Click Close when done. Configuring the above with PowerShell To configure the above using PowerShell, use the following commands. First install the ADCS role Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools Edit as necessary before running the below (which configures the ADCS role). Install-AdcsCertificationAuthority -CAType StandaloneRootCA -CACommonName "windows noob Root CA" -KeyLength 2048 -HashAlgorithm SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -ValidityPeriod Years -ValidityPeriodUnits 20 -Force That's it for this part, in Part 3 you'll configure the Web server for CDP and AIA Publication. Recommended reading (1) - https://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx (2) - https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file (3) - https://blogs.technet.microsoft.com/askpfeplat/2015/03/15/sha-1-deprecation-and-changing-the-root-cas-hash-algorithm/ (4) - http://go.microsoft.com/fwlink/?LinkId=218063

This series is comprised of different parts, listed below. Part 1 - Introduction and server setup (this part) Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health Introduction Security is everywhere, and a core component of security is certificates. Public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption (1). In this series of guides I will show you how to set up a 2 tier PKI hierarchy running on Windows Server 2016 and you can use this to set up your own LAB so that you can learn about PKI and later use it for related System Center Configuration Manager roles such as Co-Management (3). Note: I don't claim to be an expert on PKI and would absolutely advise you to consult with a PKI expert if you plan on setting up PKI in production. This guide is designed to help you setup your LAB, it's based on a Windows Server 2012 R2 PKI guide on Technet from here and kudos to those guys for writing it (2). The difference here is you'll be using Windows Server 2016 (or later) and you'll see more screenshots and hints to guide you through the experience. I'd highly recommend you go through this entire series at least twice, just to get a feel for how PKI works and to become familiar with the terms involved. The first time you complete this series will probably feel laborious, however the second time you do it things will start to make sense and you'll have a better understanding of why you are doing it. This series will be tough to wrap your head around especially if you are new to PKI, but take it one part at a time, one step at a time, methodically. If in any doubt, about any of the content then please ask your questions here by starting a new thread. Please note, Microsoft released a new updated PKI guide of their own, here June 2025. By the end of this series of guides you'll have the following setup and running in your windowsnoob.lab.local PKI LAB. Domain Controller (Windows Server 2016) - 192.168.11.1 Issuing CA (Windows Server 2016) - 192.168.11.2 Webserver (Windows Server 2016) - 192.168.11.3 Offline Root CA (Windows Server 2016) Windows 10 (Windows 10 Enterprise, version 1803) - 192.168.11.4 (Optional) Smoothwall NAT (linux) - 192.168.11.199 and MMC based applications like this screenshot from the Enterprise Issuing CA will become familiar to you Before we start the series let's list some of the terms you'll see popping up over and over. I will try to explain them as we move through the guide. PKI - Public Key Infrastructure AIA - Authority Information Access CDP - Certificate revocation list Distribution Point CRL - Certificate Revocation List OCSP - Online certificate status protocol CA - Certificate Authority Note: I'd recommend that you snapshot (checkpoint) the Virtual Machines at the end of each part of this series, so if you make a mistake, you can always back track to a known good state. Step 1. Create the Virtual Machines I use Hyper-V for my labs, as it's a role built into Windows Server 2016 (and even Windows 10), so as long as your computer is relatively new and the hardware supports virtualization, you can use it (simply enable the role, reboot, and start using it). You should have at least 16GB of ram and 500GB of SSD storage to set this lab up comfortably. To quickly create the virtual machines I use a PowerShell script which I wrote, you can download it here. Download the script - Create HyperV VMv2.ps1 Virtual Machine Names For this LAB, please use the following naming convention for your virtual machines (note this is not the computer name but the virtual machine name). #11_DC01 #11_IssuingCA #11_RootCA #11_W10_1803 #11_Webserver #11_Smoothwall Note: The #11 prefix is simply a method I use in Hyper-V to separate my labs visually in Hyper-v manager, so #11 is one lab, and #10 is another (and so on). You don't have to use the same convention as I do, but it would make it easier for you to follow the entire series. I use the Smoothwall linux based NAT to provide Port Forwarding capability and to share internet into my various LABs. Virtual Machine Roles The Virtual Machines created will have the following functions #11_DC01 Roles: DC, DNS, LDAP CDP,AIA #11_IssuingCA Roles: Enterprise Issuing CA #11_RootCA Roles: Standalone Offline Root CA #11_W10_1803 Roles: A Windows client #11_Webserver Roles: Webserver HTTP CDP, AIA #11_Smoothwall Roles: Port Forward, Internet sharing Note: When prompted for a network switch, create a unique one (#11) for the first VM created, and use the same one for each of the other vm's (we will remove the network from the Offline Root CA). For generation type, use Gen 2. Below is how I created the virtual machines listed above. Note: After creating the virtual machines and before installing Windows Server 2016 on the Offline Root CA, you must remove the Network Card for the Offline Root CA virtual machine as it should not be connected to any network. Step 2. Install the virtual machines Install Server 2016 On DC01, RootCA, IssuingCA and Webserver, install Windows Server 2016. It's up to you how to do this, you can use an Automated MDT PowerShell script, or install them manually. To install all Windows Server 2016 on all 4 servers as WorkGroup joined computers do as follows.. Choose Windows Server 2016 Standard (Desktop Experience) Continue through the installation wizard until prompted for a password, use P@ssw0rd as the Administrator password Click Finish. And then logon using the Administrator username and password configured above. Once Windows is installed, set the IP address for each virtual machine as shown below. Note: Below are the Computer Name and IP addresses used in this guide. For the Offline Root CA, you must remove the Network card in the Hyper-V virtual machine settings. Computer Name: DC01, IP address: 192.168.11.1, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: IssuingCA, IP address: 192.168.11.2, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: Webserver, IP address: 192.168.11.3, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: RootCA, IP: <NO NETWORK> Computer Name: W101803, IP address: 192.168.11.4, Subnet mask 255.255.255.0, Default gateway: 192.168.11.199, Preferred DNS server: 192.168.11.1 Computer Name: smoothwall11, IP address: (Green, static) 192.168.11.199 (Red, DHCP internet IP) x.x.x.x Here's how you can set the IP address for DC01. And configure the Computer Name as per the list (in this example it's for the Domain Controller) Reboot when prompted. Install Windows 10 Enterprise version 1803 Install Windows 10 Enterprise, version 1803 on the remaining virtual machine (#11_W10_1803). Configure the Computer Name and IP address as specified. Leave it WorkGroup joined. Optionally install Smoothwall To learn how to setup Smoothwall express as a firewall see this blog post. Step 3. Configure ADDS on DC01 Now that you've installed the servers, it's time to make DC01 a domain controller, to do that we'll install Active Directory Domain Services (ADDS) and to do that we'll use this PowerShell script, simply run the script as Administrator in Windows PowerShell ISE on DC01. Download the script -Configure ADDS.ps1 After running the script, DC01 is prompted to a Domain Controller and is ready for the next part of this series. Note: Please only run this script on the DC01 virtual machine. After running the script, the Domain Controller is ready for Part 2 (configured as dc01.windowsnoob.lab.local) and internet is working (via the Smoothwall) To continue with Part 2 of this series, click here. Recommended reading (1) - https://en.wikipedia.org/wiki/Public_key_infrastructure (2) - https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx (3) - https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

it's very easy just install smoothwall on a legacy (gen 1) hyperv vm and configure two nics, one for Green (lan) and one for Red (wan),

"parsing" you are looking at the part of the smsts.log where it parses through the commands it has to execute, to see how your step performs, search for "start executing" instead and see what errors if any are present for the actual step, and not the 'parsed' step

odd, my working ts has MDT integration, can you try adding a Use Toolkit Package and then MDT gather step before this, and see does it make any difference in your task sequence

so if you manually run the command in a command prompt, does it work ?

it's more than likely forcing to GPT due to the bios mode being in UEFI, and that's a good thing, looking at the small snippet of log file you provided doesn't really help troubleshoot this however, we need the entire smsts.log to be sure what is being detected, and then, what steps are running, so can you attach it please

have you seen this ?

I see you are using french, have you tried the equivalent word in French in case that's the issue ?

hi can you show the step in your task sequence please

i've seen reports of a similar issue resolved by upgrading SCCM 1710 to SCCM 1802 but thanks for your solution cheers niall

training is always good but intense, and these types of training give you good info over the time frame of about a week, but what they don't give you is experience. That you get when working with SCCM in different organizations over the years, so don't expect to be an all singing, all dancing SCCM engineer after attending one of these courses for one week, sure, these courses will give you a great overview of the product, but SCCM is WAY TOO immense to understand or fully comprehend in just one week IMHO, I'd suggest you bookmark this link and start working your way through the guides to get familiar with various options in SCCM Current Branch (and technical preview) cheers niall

hi Thomas, I didn't create any separate discs for temp and transaction logs and didn't add it to the scripts either, that would be an exercise for you to undertake, p.s. you should really be working off the latest version of the guide here > How can I install System Center Configuration Manager (Current Branch) version 1802 on Windows Server 2016 with SQL Server 2017 – Part 1

what version of SCCM are you running exactly ? and what version of the Windows ADK

you can't upgrade it using that media, for upgrade options see the following link https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager have you tried restarting SMS_Executive ? do you have teamviewer and i can remote in and take a look,

yes but is the SCCM client installed on this server or is it pulling updates from the internet and patching itself....

so have you actually tried putting something together yet ? there is a frontends and hta's section here for some ideas... https://www.windows-noob.com/forums/forum/98-frontends-htas-and-web-services/

do you have any 3rd party antivirus software that could be causing the download to fail ? or a proxy ? Failed to verify redist file for update C:\Program Files\Microsoft Configuration Manager\CMUStaging\0F11CAA4-7F7F-454B-96D6-75F427D015CE\redist\ConfigMgr.Manifest.cab CONFIGURATION_MANAGER_UPDATE 26.05.2018 19:59:02 26012 (0x659C)

(New-Object -COMObject Microsoft.SMS.TSEnvironment).Value('OSDDiskIndex') = $MonDisk.Disk }" returned 0 doesn't look like it's an error, have you tried to dump the variables created to verify it it set's the variable at all ? i'd suggest you pause the task sequence before and after the step to verify

interesting we havn't seen it yet, what hardware/model are you seeing the problem on ?

thanks but haven't you seen this mini series ??

hi Craig you should be very careful with required task sequences and instead of limiting to All Systems, make it much safer, for example limit it to All Dell 3620 precisions, or some other small subset of computers, that way if you make a mistake with a query, only those computers will be affected, by limiting to All Systems, if you make a query mistake in that collection and it add's say... All Systems (select * from sms...) then you have just wiped out your entire organization including servers with that required task sequence, secondly, check that the computer you are testing in, is in the collection that is targeted with the task sequence thirdly, is the task sequence deployed to Only Configuration Manager clients, or PXE or something else ? if you want the required ts to start in Windows then you need it to be made available to Only Configuration Manager Clients... cheers niall

looks like folders created when Windows Update(s) are being applied, so how are you managing updates on this server ?

it's failing to talk to the USMT State Migration Point, is that configured ? <![LOG[Error. Status code 500 returned]LOG]!><time="07:22:00.631-480" date="05-21-2018" component="OSDSMPClient" context="" type="0" thread="4276" file="libsmsmessaging.cpp:9551"> <![LOG[Received 1164 byte response.]LOG]!><time="07:22:00.631-480" date="05-21-2018" component="OSDSMPClient" context="" type="0" thread="4276" file="smpclient.cpp:2376"> <![LOG[pReply != NULL, HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\osdsmpclient\smpclient.cpp,2391)]LOG]!><time="07:22:00.631-480" date="05-21-2018" component="OSDSMPClient" context="" type="0" thread="4276" file="smpclient.cpp:2391"> <![LOG[SMP Root share info response is empty]LOG]!><time="07:22:00.631-480" date="05-21-2018" component="OSDSMPClient" context="" type="3" thread="4276" file="smpclient.cpp:2391"> <![LOG[ClientRequestToSMP::ClientRootShareRequestToSMP failed. error = (0x80004005).]LOG]!><time="07:22:00.631-480" date="05-21-2018" component="OSDSMPClient" context="" type="3" thread="4276" file="smpclient.cpp:2442"> <![LOG[ExecuteRootShareInfoRequest(sRootShareList), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\osdsmpclient\smpclient.cpp,1717)]LOG]!><time="07:22:00.631-480" date="05-21-2018" component="OSDSMPClient" context="" type="0" thread="4276" file="smpclient.cpp:1717"> <![LOG[ClientRequestToSMP::DoRequest failed. error = (0x80004005).

it's failing to install the apps, check your appenforce.log to see what it says