OCS 2007 Installation – Part 2

Other parts in this series:

OCS Installation – Part 1

Last time we left off about halfway through the OCS 2007 installer. This part should run through the end of the initial installation process. I’ll cover some of the initial configuration on the next part.

Configure Internal Certificate

The Configure Server section should now have a green checkmark next to it. Click the Run button under Configure Certificate to continue.

clip_image002

The Configure Certificate Wizard should start. Press Next to continue.

clip_image004

Choose Create a new certificate and press Next.

clip_image006

Choose Send the request immediately to an online certification authority and press Next.

clip_image008

Give the certificate a meaningful friendly name, uncheck Mark cert as exportable and press Next. We shouldn’t ever need to export the certificate from the front-end server.

clip_image010

Fill in organization and organization unit names and press Next.

clip_image012

Leave the subject name as the fully qualified name of the internal OCS machine, tap-ocs-2k7.ptown.com. In the subject alternate name (SAN) box enter tap-ocs-2k7.ptown.com,sip.confusedamused.com. Press Next.

cert1

Note: The reason the first SAN listed must be the same as the subject name is because of how ISA 2006 handles the reverse proxy. If we only left sip.confusedamused.com as the sole SAN entry everything would work fine internally, but we’d run into problems with the reverse proxy later. Since we’ll later tell ISA the internal site name is tap-ocs-2k7.ptown.com, but when it connects it tries to match the subject name to the first SAN listed. When it doesn’t line up ISA throws an Error 500 – Service Principal Name Incorrect. Doing the certificate this way now removes some unnecessary work later. You can read some more about this ISA issue here.

Enter a state and province and press Next.

clip_image016

The certificate authority, tap-dc-2k3.ptown.com\P-Town Certificate Authority, should already be detected. Press Next.

clip_image018

Review the certificate information and press Next to generate the certificate.

cert2

The success message should appear. Press the Assign button to use the certificate just created for OCS services.

clip_image022

A message indicating the certificate was applied should appear. Press OK.

clip_image024

Click Finish to close the certificate wizard.

Assign Web Components Certificate

Open IIS Manager, expand the Web Sites folder, right-click on the Default Web Site and choose Properties.

clip_image002[5]

Click on the Directory Security tab.

clip_image004[5]

Click the Server Certificate button to start the Web Server Certificate Wizard.

Press Next to start the process.

clip_image006[5]

Choose Assign an existing certificate and press Next.

clip_image008[5]

Select the certificate that was issued to tap-ocs-2k7.ptown.com and press Next.

cert3

Leave the default SSL port of 443 and press Next.

clip_image012[5]

Review the certificate summary and press Next.

clip_image014[5]

A success message appears. Click Finish to close the wizard.

clip_image016[5]

Warning: The service accounts RTCService and RTCComponentService do not have have the Password Never Expires option selected by default. Unless you want those account passwords to be changed with the default domain policy I would recommend going into Active Directory Users & Computers and making sure those passwords don’t expire. If they do expire your OCS services won’t start.

Start Services

At this point the OCS services can started. Flip back to the OCS installer and click the Run button under Start Services.

clip_image002[7]

The Start Services Wizard should open. Press Next to continue.

clip_image004[7]

Press Next again to start the list of services found.

clip_image006[7]

A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.

clip_image008[7]

At this point, OCS is up and running, but will not pass many of the validation tests. Exit the installer completely. I’ll cover the DNS configuration in the next part of this series.

Peanut Gallery

  1. 1 Chris Gralike

    Very nice tutorial, but a little sidenote.

    If you are using a CSR and an external CA to create your certificates be very explicit to them that you need a SAN (Subject Alternative Name) type certificate. Else during the SSL signing process the Subject Alternative Name might be dropped. In this case the services will not start either telling you that the Subject Name isnt in the trusted server list…

     
  2. 2 Nitin

    I have configure first on OCS server then edge server and now want to configure reverse proxy server… I have successfully completed all the steps and validation tests fails… when will I able to get the next part…

    Thanks…

    Regards, Nitin

     
  3. 4 Ron

    Do you know the extent of the changes to IIS 6.0 that OCS 2007 makes during the install? The reason I ask: the OCS 2007 upgrade from LCS 2005 hosed the authentication to some critical sites we had nested as virtual directories underneath the default web site in IIS.

    Any insight would be greatly appreciated.

    Ron

     
  4. 5 Andrew

    Thanks for providing this great documentation. I’m trying to add external connectivity to our existing MOCS 2007 (Ent) install. The process is quite complicated and the docum,enmtation from Microsoft leaves a lot to be desired. Will there be 3rd part to these instructions?

     
  5. 6 Andrew

    oops, my bad there it is. Thanks

     
  6. 7 kristin

    Hello there,

    We are also installing Microsoft Office Communications server. But after doing the certificate wizard, which was done by asking a certificate authority server to provide us a trial certificate, we get an error 0xC3EC794B which tells that the Specified Role does not match the installed product id. Does this have to do with the certificate that we installed? Or have we done a wrong configuration during steps 1 – 6. Hoping for a response. Thanks and more power to your site!

     
  7. 8 Sylvester

    I am following Microsoft’s OCS lab setup instructions. I have created a new certificate template for server authentication by duplicating the web server template and configured it for autoenrollment. However, I don’t see the template when I use http://contoso.ad/certsrv or in the OCS deployment/configure certificate wizard. I see that a certificate based on this template has been issued in the consol Root/Certificates(local Computer)/Personal/Certificates. Any insight would be greatly appreciated.

    Sylvester

     
  8. 9 Don

    Kristin Make sure the /role:xx is correct for your versionm whether ee or se when you run the validation check

     
  9. 10 Out_theBack

    How many SAN on ISA 2006 with OCS 2007 and Exchange 2007 OWA anywhere. Is this right ?

    When ISA 2006 has a listener for https and it is used for Exchange 2007 OWA, the SSL listener certificate will have Subject Alternative Names (SAN) of mail.myorg.local, mail.myorg.com, autodiscover.myorg.com and thirdly SAN names of sip.myorg.com, im.myorg.com. when you have OCS 2007.

    Does ISA 2006 only read 2 SAN names anyway?

    Out_theBack

     
  10. 11 Tom

    ISA will read all the SANs in a cert on a listener. The limitation comes in if you use a SAN on the internal web site that you are reverse proxy-ing.

     
  11. 12 HEmal

    Thanks, Its nice post. Saved many hours.

     
  12. 13 Elliot Nehme

    Hello there,

    I followed step by step the above procedure but my front end server service won’t start. I deployed a standard edition of OCS 2007 (trial version) downloaded from microsoft website. I have my AD and DNS servers on another pc (both pcs have windows server 2003 SP2).

    Please any help will be hugely appreciated :D :D:D

    Thanks a lot

     
  13. 14 Atif

    Hello Elliot Nehme,

    in your case the OCS server system must be a member of the AD, and must be logged on that system in with administrative rights rights of AD, in LAN Configuration give the DNS IP, and start installation, OCS will automatically pick the AD of you network, so as the DNS of you network. I think this will help you.

    Atif

     
  14. 15 edgar corona

    I will redeploy the access edge server and I have a doubt about the kind of certificate that I need. We are going to have several sip domains but we will have only one access edge server so this is the point where I got confuse: Do I need one DNS srv record for each domain that externally wants to access the access edge server? Does Verisign have this kind of certificate with SAN?

     
  15. 16 Tom Pacyk

    Edgar, you can definitely support multiple SIP domains through a single Edge server. You’lll need a SAN certificate and if you want to support automatic client configuration, an SRV record for each SIP domain.

    I’d definitely recommend using a vendor such as Digicert for your SAN cert though. They are significantly cheaper than Verisign and have the same degree of compatibility.

     
  16. 17 Paid Proxy

    Crazy how many people still use and others profit with web proxies.

     
  17. 18 Ali

    hi,

    if you face an error on last step like followings.

    Not activated or disabled services (cannot be started): Office Communications Server Front-End Office Communications Server Telephony Conferencing Office Communications Server IM Conferencing

    Services that will be started: Office Communications Server Web Conferencing Office Communications Server Audio/Video Conferencing

    you should see this http://support.microsoft.com/kb/974571

    scroll to Resolution for these known issues and download ocsasnfix.exe using http://go.microsoft.com/fwlink/?LinkId=168248

    use command prompt to run this exe. it will fix the registry. once registry is fixed. you need to re run the “Deploy Server” or “Add Server to Pool”(in case of enterprise pool deployment which was my case)

    after finishing the deployment start the services again. it will work.

    Thanks Ali

     
  18. 19 Iqbal

    I have run the step as instruction above and also in the OCS 2007 Deploying and configuration from Microsoft.

    But, i stucked in the “Choose a Certification Authority Page”. I can’t choose the first selection, only “Specify the certificate authority that will be used to request this certificate” are available. I am not sure what to write in the text box below the 2nd selection.

    So, how can i find the root and solve this problem. I am using Win Server 2008 Std Edition and OCS 2007 R2. This is Front End Server.

    Thanks!

     

Speak Up