Beruflich Dokumente
Kultur Dokumente
Microsoft Corporation Published: October, 2009 Author: James McIllece Editor: Scott Somohano
Abstract
BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in some editions of the Windows Server 2008 R2 and Windows 7 operating systems. To optimize WAN bandwidth, BranchCache copies content from your main office content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. This deployment guide provides instructions on deploying BranchCache in both distributed cache mode and hosted cache mode, and allows you to deploy Hypertext Transfer protocol (HTTP), Background Intelligent Transfer Service (BITS), and Server Message Block (SMB)-based content servers that are Web servers, application servers, and file servers, respectively.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents
BranchCache Deployment Guide....................................................................................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 BranchCache Deployment Guide....................................................................................................6 What this guide provides..........................................................................................................6 What this guide does not provide.............................................................................................7 Deploy BranchCache......................................................................................................................7 Deploy BranchCache in distributed cache mode.........................................................................7 Deploy BranchCache in hosted cache mode...............................................................................7 Install and configure content servers..............................................................................................8 Install content servers that use the BranchCache feature...............................................................8 Install the BranchCache feature......................................................................................................8 Configure Windows Server Update Services (WSUS) content servers...........................................9 Install File Services content servers................................................................................................9 Configure the File Services server role.........................................................................................10 Install a new file server as a content server..................................................................................10 Configure an existing file server as a content server.....................................................................11 Enable hash publication for file servers.........................................................................................11 Enable hash publication for non-domain member file servers.......................................................12 Enable hash publication for domain member file servers..............................................................13 Create the BranchCache file servers organizational unit..............................................................13 Move file servers to the BranchCache file servers organizational unit..........................................14 Create the BranchCache hash publication Group Policy object....................................................14 Configure the BranchCache hash publication Group Policy object...............................................15 Enable BranchCache on a file share.............................................................................................17 Deploy a distributed cache mode design......................................................................................17
Configure client computers for distributed cache mode................................................................18 Use Group Policy to configure domain member clients for distributed cache mode.....................18 Configure domain member client distributed cache mode firewall rules.......................................20 Non-domain member client configuration for distributed cache mode..........................................22 Enable BranchCache distributed cache mode using network shell commands............................22 Configure client computer distributed cache mode firewall rules..................................................23 [MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol...................................23 [MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................23 Deploy a hosted cache mode design............................................................................................24 Configure client computers for hosted cache mode......................................................................26 Use Group Policy to configure domain member clients for hosted cache mode...........................26 Configure domain member client hosted cache mode firewall rules.............................................28 Non-domain member client configuration for hosted cache mode................................................29 Enable BranchCache hosted cache mode using network shell commands..................................29 Configure hosted cache mode firewall rules.................................................................................30 [MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................31 [MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol..............................31 Install and configure the hosted cache server...............................................................................31 Install the BranchCache feature....................................................................................................32 Enable hosted cache server mode on a hosted cache server.......................................................33 Install the certification authority and enroll certificates to hosted cache servers...........................34 Create the hosted cache servers group........................................................................................34 Add hosted cache servers to the group.........................................................................................35 Install the certification authority (CA)............................................................................................36 Configure the Web Server certificate template..............................................................................37 Configure server certificate autoenrollment...................................................................................39 Refresh Group Policy....................................................................................................................39 Obtain the SHA-1 hash of the hosted cache server certificate......................................................40
BITS-based application servers. These content servers send content to BranchCache client computers using the Background Intelligent Transfer Service (BITS). These content servers must be running Windows Server 2008 R2 versions that support BranchCache and upon which the BranchCache feature is installed. File server-based content servers. These content servers must be running Windows Server 2008 R2 versions that support BranchCache and upon which the File Services server role is installed. In addition, the BranchCache for network files role service of the File Services server role must be installed and configured. These content servers send content to BranchCache client computers using the Server Message Block (SMB) protocol.
Deploy BranchCache
See the following topics to deploy BranchCache. Note The procedures in this guide do not include instructions for those cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.
For more information on the technologies used to deploy BranchCache, see Additional Resources.
4. In Confirm Installation Selections, review your choice and then click Install. The Installation Progress pane is displayed during installation, and then the Installation Results pane is displayed. 5. In Installation Results, review the summary and then click Close. The Add Features Wizard closes. 6. In the Server Manager left pane, double-click Configuration, and then click Services. 7. In the details pane, in Services, double-click BranchCache. The BranchCache Properties dialog box opens. 8. In the BranchCache Properties dialog box, on the General tab, click Start to start the BranchCache service, and then click OK. Important The BranchCache service startup type is Automatic, which means that the BranchCache service starts whenever the computer is restarted. It is recommended that you keep the startup type value set to Automatic.
During the configuration of the content server, you can allow BranchCache publication of content for all file shares or you can select a subset of file shares to publish. See the following topics to deploy content servers. Configure the File Services server role Enable hash publication for non-domain member file servers Enable BranchCache on a file share
c. To disallow hash publication for all shared folders on the computer even if BranchCache is enabled on the file shares, click Disallow hash publication on all shared folders. 8. Click OK.
Note Before performing this procedure, you must create the BranchCache file servers organizational unit and move file servers into the OU. For more information, see Enable hash publication for domain member file servers. To create the BranchCache hash publication Group Policy object 1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens. 2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Management, and then click OK. 4. In the Group Policy Management MMC, expand the path to the BranchCache file servers OU that you previously created. For example, if your forest is named example.com, your domain is named example1.com, and your OU is named BranchCache file servers, expand the following path: Group Policy Management, Forest: example.com, Domains, example1.com, Group Policy Objects. 5. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy object (GPO). For example, if you want to name the object BranchCache Hash Publication, type BranchCache Hash Publication. Click OK. 6. In the Group Policy Management MMC, right-click the BranchCache file servers organizational unit (OU) that you created previously. For example, if your OU is named BranchCache file servers, right-click BranchCache file servers, and then click Link an Existing GPO. The Select GPO dialog box opens. 7. In the Select GPO dialog box, in Group Policy objects, click the BranchCache hash publication GPO that you created earlier in this procedure. For example, if your GPO is named BranchCache Hash Publication, click BranchCache Hash Publication. Click OK.
Note Before performing this procedure, you must create the BranchCache file servers organizational unit, move file servers into the OU, and create the BranchCache hash publication Group Policy object (GPO). For more information, see Enable hash publication for domain member file servers. To configure the BranchCache hash publication Group Policy object 1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft Management Console (MMC) opens. 2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens. 3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy Management, and then click OK. 4. In the Group Policy Management MMC, expand the path to the BranchCache hash publication GPO that you previously created. For example, if your forest is named example.com, your domain is named example1.com, and your GPO is named BranchCache Hash Publication, expand the following path: Group Policy Management, Forest: example.com, Domains, example1.com, Group Policy Objects, BranchCache Hash Publication. 5. Right-click the BranchCache Hash Publication GPO and click Edit. The Group Policy Management Editor console opens. 6. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates, Network, Lanman Server. 7. In the Group Policy Management Editor console, click Lanman Server. In the details pane, double-click Hash Publication for BranchCache. The Hash Publication for BranchCache dialog box opens. 8. In the Hash Publication for BranchCache dialog box, click Enabled. 9. In Options, click Allow hash publication for all shared folder, and then click one of the following: a. To enable hash publication for all shared folders on this computer, click Allow hash publication for all shared folder. b. To enable hash publication only for shared folders for which BranchCache is enabled, click Allow hash publication only for shared folders on which BranchCache is enabled. c. To disallow hash publication for all shared folders on the computer even if BranchCache is enabled on the file shares, click Disallow hash publication on all shared folders. 10. Click OK.
Note In most cases, you must save the MMC console and refresh the view to display the configuration changes you have made.
client computers at branch offices must be able to access the main office content servers over some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private network (VPN) connection between the offices; or clients must use some other method to connect to the content servers, such as by using DirectAccess. See the following topics to deploy BranchCache in distributed cache mode. Install and configure content servers Configure client computers for distributed cache mode
Note When distributed cache mode clients are connecting to main office resources using DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache traffic. Use the inbound and outbound rule settings provided in the topic Configure client computer distributed cache mode firewall rules to create IPsec rules.
Use Group Policy to configure domain member clients for distributed cache mode
You can use this procedure to configure Group Policy to enable and configure BranchCache distributed cache mode on domain-joined client computers. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To use Group Policy to configure clients for distributed cache mode 1. On a computer upon which the Active Directory Domain Services server role is installed, click Start, click Administrative Tools, and click Group Policy Management.
The Group Policy Management console opens. 2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located. 3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy object (GPO). For example, if you want to name the object BranchCache Client Computers, type BranchCache Client Computers. Click OK. 4. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens. 5. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, BranchCache. 6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache. The Turn on BranchCache dialog box opens. 7. In the Turn on BranchCache dialog box, click Enabled, and then click OK. 8. In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set BranchCache Distributed Cache mode. The Set BranchCache Distributed Cache mode dialog box opens. 9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and then click OK. 10. To configure the amount of hard disk space allocated on each client computer for the BranchCache cache: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set percentage of disk space used for client computer cache. The Set percentage of disk space used for client computer cache dialog box opens. Click Enabled, and then in Options type a numeric value that represents the percentage of hard disk space used on each client computer for the BranchCache cache. 11. To enable client computers to download and cache content from BranchCache file server-based content servers: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click BranchCache for network files. The Configure BranchCache for network files dialog box opens. 12. In the Configure BranchCache for network files dialog box, click Enabled. In Options, type a numeric value, in milliseconds, for the maximum round trip network latency time, and then click OK. Note
By default, client computers cache content from file servers if the round trip network latency is longer than 80 milliseconds.
opens. 6. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 7. In Predefined Rules, click Next. 8. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to receive traffic on this port. 9. To create the WS-Discovery firewall exception, again right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard opens. 10. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Peer Discovery (Uses WSD). Click Next. 11. In Predefined Rules, click Next. 12. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to receive traffic on this port. 13. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 14. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 15. In Predefined Rules, click Next. 16. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port. 17. To create the WS-Discovery firewall exception, again right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 18. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Peer Discovery (Uses WSD). Click Next. 19. In Predefined Rules, click Next. 20. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port.
Firewall settings must allow inbound and outbound traffic. You can use the following settings to configure firewall exceptions for distributed cache mode. Inbound traffic: Local port: 80, Remote port: ephemeral Outbound traffic: Local port: ephemeral, Remote port: 80
Public CAs are deployed by third party companies, such as Verisign, who sell certificates for use by their customers. This guide does not describe how to deploy hosted cache mode with certificates that are issued by a public CA, but it is possible if you ensure that the certificates meet the minimum server certificate requirements and are configured in accordance with the Web Server certificate template as described in this guide. In addition, before purchasing a server certificate issued by a public CA, you should ensure that BranchCache client computers already trust the public CA. Private CAs are deployed by organizations who design and deploy a public key infrastructure (PKI). This guide provides instructions on how to deploy your own CA using Active Directory Certificate Services (AD CS). Note This guide does not provide instructions on how to design a PKI, and you should review AD CS documentation before deploying your own CA. For more information, see Additional Resources. There are two types of certificates that are used when you deploy BranchCache in hosted cache mode: CA certificate. When you deploy your own CA, the root CA certificate is automatically distributed to client computers that are domain members. The certificate is stored in the Trusted Root Certification Authorities certificate store for the Local Computer and for the Current User. These certificate stores can be viewed by using the Certificates Microsoft Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root Certification Authorities certificate store, it means that the computer trusts all certificates that are issued by the CA. Server certificate. The server certificate is issued by the CA to the hosted cache server. The hosted cache server uses the certificate to prove its identity to client computers during the authentication process. Hosted cache mode See the following topics to deploy BranchCache in hosted cache mode. Install and configure content servers Configure client computers for hosted cache mode Install the certification authority and enroll certificates to hosted cache servers Obtain the SHA-1 hash of the hosted cache server certificate Link the hosted cache server certificate to BranchCache
Note When hosted cache mode clients are connecting to main office resources using DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache traffic. Use the inbound and outbound rule settings provided in the topic Configure hosted cache mode firewall rules to create IPsec rules.
Use Group Policy to configure domain member clients for hosted cache mode
With this procedure you can use Group Policy to enable and configure BranchCache distributed cache mode on domain-joined client computers. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To use Group Policy to configure clients for hosted cache mode 1. On a computer upon which the Active Directory Domain Services server role is installed, click Start, click Administrative Tools, and click Group Policy Management. The Group Policy Management console opens. 2. In the Group Policy Management console, expand the following path: Forest: example.com, Domains, example.com, Group Policy Objects, where example.com is the name of the domain where the BranchCache client computer accounts that you want to configure are located. 3. Right-click Group Policy Objects, and then click New. The New GPO dialog box opens. In Name, type a name for the new Group Policy object (GPO). For example, if you want to name the object BranchCache Client Computers, type BranchCache Client Computers. Click OK.
4. In the Group Policy Management console, ensure that Group Policy Objects is selected, and in the details pane right-click the GPO that you just created. For example, if you named your GPO BranchCache Client Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy Management Editor console opens. 5. In the Group Policy Management Editor console, expand the following path: Computer Configuration, Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, BranchCache. 6. Click BranchCache, and then in the details pane, double-click Turn on BranchCache. The Turn on BranchCache dialog box opens. 7. In the Turn on BranchCache dialog box, click Enabled, and then click OK. 8. In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set BranchCache Hosted Cache mode. The Set BranchCache Hosted Cache mode dialog box opens. 9. In the Set BranchCache Hosted Cache mode dialog box, click Enabled. In Enter the location of hosted cache, type the fully qualified domain name (FQDN) of the hosted cache server, and then click OK. 10. To configure the amount of hard disk space allocated on each client computer for the BranchCache cache: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set percentage of disk space used for client computer cache. The Set percentage of disk space used for client computer cache dialog box opens. Click Enabled, and then in Options type a numeric value that represents the percentage of hard disk space used on each client computer for the BranchCache cache. 11. To enable client computers to download and cache content from BranchCache file server-based content servers: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click BranchCache for network files. The Configure BranchCache for network files dialog box opens. 12. In the Configure BranchCache for network files dialog box, click Enabled. In Options, type a numeric value, in milliseconds, for the maximum round trip network latency time, and then click OK. Note By default, client computers cache content from file servers if the round trip network latency is longer than 80 milliseconds.
You must select Allow the connection for the BranchCache client to be able to receive traffic on this port. 9. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 10. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Content Retrieval (Uses HTTP). Click Next. 11. In Predefined Rules, click Next. 12. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port. 13. In the Group Policy Management Editor console, right-click Outbound Rules, and then click New Rule. The New Outbound Rule Wizard opens. 14. In Rule Type, click Predefined, expand the list of choices, and then click BranchCache Hosted Cache Client (Uses HTTPS). Click Next. 15. In Predefined Rules, click Next. 16. In Action, ensure that Allow the connection is selected, and then click Finish. Important You must select Allow the connection for the BranchCache client to be able to send traffic on this port.
client computer for hosted cache mode and automatically configures the client computer firewall with the following inbound exception for hosted cache mode: TCP port 80. Note If you have configured BranchCache client computers using Group Policy, the Group Policy settings override any manual configuration of client computers to which the policies are applied. Membership in Administrators, or equivalent is the minimum required to perform this procedure. To enable BranchCache hosted cache mode using network shell commands 1. On the BranchCache client computer that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands. 2. Run the following command: netsh branchcache set service mode=HOSTEDCLIENT location=HostedCacheName, where HostedCacheName is the fully qualified domain name of the hosted cache server. Note If the hosted cache server and client computers are not joined to an Active Directory domain, set client authentication to NONE using the additional clientauthentication parameter in this command: Netsh branchcache set service mode=HOSTEDSERVER location=HostedCacheName clientauthentication=NONE
Membership in Administrators, or equivalent is the minimum required to perform firewall configuration changes.
To deploy a hosted cache server, you must install and enable the BranchCache feature, enable hosted cache mode, and configure firewall exceptions to allow communication between the hosted cache server and client computers in the branch office.
Note By default, the cache on the hosted cache server is configured to use 5% of the hard disk space on the local hard disk. If you want to change the size of the cache, you can use the netsh branchcache set cachesize command, which specifies the size of the local cache as either a percentage of the size of the hard disk where the cache is located or as an exact number of bytes. For more information, see Additional Resources. See the following topics to install and configure the hosted cache server. Install the BranchCache feature Enable hosted cache server mode on a hosted cache server
Note When you enable hosted cache mode using the netsh branchcache set service command as described in the topic Enable hosted cache server mode on a hosted cache server, the firewall on the hosted cache server is automatically configured with the correct exceptions for hosted cache mode. You do not need to make additional configuration to the firewall, however the topic Configure hosted cache mode firewall rules is provided for reference.
7. In the details pane, in Services, double-click BranchCache. The BranchCache Properties dialog box opens. 8. In the BranchCache Properties dialog box, on the General tab, click Start to start the BranchCache service, and then click OK. Important The BranchCache service startup type is Automatic, which means that the BranchCache service starts whenever the computer is restarted. It is recommended that you keep the startup type value set to Automatic.
Install the certification authority and enroll certificates to hosted cache servers
When you deploy BranchCache in hosted cache mode, you must enroll server certificates to hosted cache servers. You can use the following topics to create a hosted cache servers group in Active Directory Users and Computers, add hosted cache servers to the group, install an enterprise root certification authority using Active Directory Certificate Services (AD CS), and then configure the automatic distribution, or autoenrollment, of server certificates to hosted cache servers. See the following topics to perform these actions. Create the hosted cache servers group Add hosted cache servers to the group Install the certification authority (CA) Configure the Web Server certificate template Configure server certificate autoenrollment Refresh Group Policy
Notes When you deploy a public key infrastructure (PKI), you should also configure certificate revocation and publish a certificate revocation list (CRL). If your BranchCache deployment includes only one or two hosted cache servers and you prefer not to use autoenrollment, you can use the Certificates Microsoft Management Console (MMC) snap-in to manually enroll server certificates to hosted cache servers. For more information, see Additional Resources.
2. In the details pane, right-click the folder in which you want to add a new group. Where? Active Directory Users and Computers/domain node/folder 3. Point to New, and then click Group. 4. In New Object Group, in Group name, type the name of the new group. For example, type Hosted Cache Servers. By default, the name you type is also entered as the pre-Windows 2000 name of the new group. 5. In Group scope, select one of the following options: Domain local Global Universal Security Distribution
7. Click OK.
4. On the Members tab, click Add. 5. In Enter the object names to select, type the name of the hosted cache server that you want to add, and then click OK. 6. To assign group membership to other hosted cache servers, repeat steps 4 and 5 of this procedure.
your deployment, reduce Key character length to 1024. Click Next. 10. On the Configure CA Name page, keep the suggested common name for the CA or change the name according to your requirements, and then click Next. 11. On the Set Validity Period page, in Select validity period for the certificate generated for this CA, type the number and select a time value (Years, Months, Weeks, or Days). The default setting of five years is recommended. Click Next. 12. On the Configure Certificate Database page, in Certificate database location and Certificate database log location, specify the folder location for these items. If you specify locations other than the default locations, ensure that the folders are secured with access control lists (ACLs) that prevent unauthorized users or computers from accessing the CA database and log files. 13. Click Next, click Install, and then click Close.
server interoperability reasons, it is recommended that you select Windows Server 2003 Enterprise. 8. Click OK. The Properties dialog box for the certificate template opens. 9. On the General tab, in Display Name, type a new name for the certificate template or keep the default name, Copy of Web Server. 10. Click the Subject Name tab. Ensure that Build from this Active Directory information is selected. In Subject name format, select DNS name. 11. Click the Request Handling tab. For Minimum key size, determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can impact server performance. It is recommended that you keep the default setting of 2048 or, if you deem it appropriate for your deployment, reduce Minimum key size to 1024. 12. Click the Security tab. In Group or user names, click Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens. 13. In Select Users, Computers, Service Accounts, or Groups, type the name of the group that you created for your hosted cache servers, and then click OK. For example, type Hosted Cache Servers. 14. In Properties of New Template, in Group or User Names, click the name of the group you just added. For example, if your group is named Hosted Cache Servers, click that group. 15. In Properties of New Template, in Permissions for Hosted Cache Servers, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK. Note: If your group name is not Hosted Cache Servers, this section of the dialog box is named Permissions for Group Name, where Group Name is the name of the hosted cache servers group that you created. 16. In the left pane of the Microsoft Management Console (MMC), double-click Certification Authority, double-click the CA name, and then click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens. 17. Click the name of the certificate template you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of Web Server, and then click OK.
Note Group Policy is automatically refreshed when you restart the domain member computer, or when a user logs on to a domain member computer. In addition, Group Policy is periodically refreshed. By default, this periodic refresh is performed every 90 minutes with a randomized offset of up to 30 minutes. Membership in Administrators, or equivalent, is the minimum required to complete this procedure. To refresh Group Policy on the local computer 1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt window opens. 2. Type gpupdate, and then press ENTER.
Certificates folder. 7. In the details pane, browse to the server certificate and double-click the certificate. The Certificate dialog box opens. 8. In the Certificate dialog box, click the Details tab. Note On the Details tab, in Field, ensure that the value of the Certificate Template Name extension matches the name of the copy of the Web Server certificate template that you configured in a previous step. For example, if you used the default name Copy of Web Server, ensure that this value appears in Certificate Template Name to verify that you have selected the correct certificate. 9. In the list of fields, select Thumbprint. 10. In the lower pane, the hexadecimal string that is the SHA-1 hash of your certificate is displayed. Select the SHA-1 hash and press the Windows keyboard shortcut for the Copy command (Ctl+C) to copy the hash to the Windows clipboard. 11. Click Start, click All Programs, click Accessories, and then click Notepad. The Notepad application opens. 12. In Notepad, press the Windows keyboard shortcut for the Paste command (Ctl+V) to paste the SHA-1 hash into a new text file. Remove all of the spaces between the characters in the SHA-1 hash so that the hash contains no spaces, and then save the text file to hard disk. Note In the next procedure where you link the hosted cache server certificate to BranchCache, you will use the SHA-1 hash of the certificate while running a network shell (netsh) command.
Membership in Domain Admins, or equivalent is the minimum required to perform this procedure. To link the hosted cache server certificate to BranchCache 1. On the BranchCache hosted cache server that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands. 2. Run the following command: netsh http add sslcert ipport=0.0.0.0:443 certhash=SHA-1_Hash appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}, where SHA-1_Hash is the SHA-1 hash of the server certificate on the hosted cache server.
Additional Resources
For more information about the technologies in this guide, see the following resources in the Windows Server 2008 and Windows Server 2008 R2 Technical Library. Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=110923) Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkId=110928)
Background Intelligent File Transfer Service (BITS) (http://go.microsoft.com/fwlink/? LinkId=163282) Configuring Certificate Revocation (http://go.microsoft.com/fwlink/?LinkId=163242) File Services (http://go.microsoft.com/fwlink/?LinkId=163286) Group Policy (http://go.microsoft.com/fwlink/?LinkId=110930)
Network Shell (Netsh) Commands for BranchCache (http://go.microsoft.com/fwlink/? LinkId=156640) Web Server (http://go.microsoft.com/fwlink/?LinkId=163294) The following topics provide information about designing a public key infrastructure and the server message block (SMB) protocol. Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 public key infrastructure) in Windows Server TechCenter (http://go.microsoft.com/fwlink/? LinkId=106049) Microsoft SMB Protocol and CIFS Protocol Overview (Windows) in the Microsoft Developer Network (MSDN) (http://go.microsoft.com/fwlink/?LinkId=163293)