LCS 2005 Standard to OCS2007R2 Standard: Part 3 Internal CA and LCS 2005 Patches

If you’ve only ever used your installed Windows/AD CA rarely for base certificates, then you’ll almost certainly need to do some work on it for both Windows 2008 and of course the subject of this post, OCS.

We have a windows CA, most SMB’s will,  but it’s a vanilla install. We have a tiered setup of primary and secondary CA’s. During the installation of OCS you will need it to issue a SAN certificate. In actual fact, we had to re-issue a new certificate to our LCS install with sip alternate names for all our enabled domains. LCS to OCS communication is via Mutual TLS, so if you want your old world LCS users to be able to talk to newly migrated OCS users, you will need to get your certificates right.
Unless you want to pay for commercial certitifcates, it’s best to just use you internal CA, but before you can issue a VALID SAN cert, you’ll need to make some modifications to it. If this is your first 2008 server using a certificate in your domain, you will need KB922706, and once that’s done, KB931531 which amounts to issuing from a command line:

certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Now, that puts us in good stead for the next phase, we can reliably request SAN certificates and for Windows 2008 servers.
I’d left our LCS server on SP1, I’d found no pressing need to add postfix patches, but for this install we have to look at LCS preparedness first. It needs to be SP1 and then patched with any post SP patches. These are all outlined in the Word document I mentioned above in the section titled ‘Before you begin Migrating From Live Communications Server 2005’ I would follow this section completely with 1 exception, I wouldn’t bother updating the client for the moment. The unpatched client will still atached to either flavour of server (incl OCS)

Server Patches:
Client Patch(msp):

If you’ve regularly run windows update, you may find that at least 1 or 2 of these patches are already installed, DON’T re-install KB921543, as once uninstalled it can’t be re-installed.

There will doubtless be reboots after these patches, so notify your users of downtime in advance.

IMPORTANT!!If you had not patched your LCS server in a while, you may not have had Windows security patch KB974571 applied, I hadn’t. In essence, this ASN fix breaks LCS and OCS!! The symptoms are that the server will not start the service. Details are here as well as the fix OCSASNFIX.EXE
This serves to support my argument that Windows patches are crucial to your environment, but don’t rush to apply them, stay a little behind. If you’d jumped to install the latest and greatest, you could have been faced with lengthy downtime, and possibly engaging MS Professional services.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: