Branch Cache Deploy

8/3/2019 Branch Cache Deploy

1/42

BranchCache Deployment Guide

Microsoft Corporation

Published: October, 2009

Author: James McIllece

Editor: Scott Somohano

Abstract

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included in

some editions of the Windows Server 2008 R2 and Windows 7 operating systems. To optimize

WAN bandwidth, BranchCache copies content from your main office content servers and caches

the content at branch office locations, allowing client computers at branch offices to access the

content locally rather than over the WAN.

This deployment guide provides instructions on deploying BranchCache in both distributed cache

mode and hosted cache mode, and allows you to deploy Hypertext Transfer protocol (HTTP),

Background Intelligent Transfer Service (BITS), and Server Message Block (SMB)-based content

servers that are Web servers, application servers, and file servers, respectively.


2/42

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,

or event is intended or should be inferred.

Your right to copy this documentation is limited by copyright law and the terms of the software

license agreement. As the software licensee, you may make a reasonable number of copies or

printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative

works for commercial distribution is prohibited and constitutes a punishable violation of the law.

2009 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.


3/42

Contents

BranchCache Deployment Guide ....................................................................................................1

Abstract....................................................................................................................................1

Contents ..........................................................................................................................................3

BranchCache Deployment Guide ....................................................................................................6

What this guide provides ..........................................................................................................6

What this guide does not provide .............................................................................................7

Deploy BranchCache ......................................................................................................................7

Deploy BranchCache in distributed cache mode .........................................................................7

Deploy BranchCache in hosted cache mode ...............................................................................7

Install and configure content servers ................................................................................. .............8

Install content servers that use the BranchCache feature ...............................................................8

Install the BranchCache feature ......................................................................................................8

Configure Windows Server Update Services (WSUS) content servers ...........................................9

Install File Services content servers ................................................................................................9

Configure the File Services server role .........................................................................................10

Install a new file server as a content server ..................................................................................10

Configure an existing file server as a content server .....................................................................11

Enable hash publication for file servers .........................................................................................11

Enable hash publication for non-domain member file servers .......................................................12

Enable hash publication for domain member file servers ..............................................................13

Create the BranchCache file servers organizational unit..............................................................13

Move file servers to the BranchCache file servers organizational unit..........................................14

Create the BranchCache hash publication Group Policy object....................................................14

Configure the BranchCache hash publication Group Policy object...............................................15

Enable BranchCache on a file share .............................................................................................17

Deploy a distributed cache mode design ......................................................................................17


4/42

Configure client computers for distributed cache mode ................................................................18

Use Group Policy to configure domain member clients for distributed cache mode ............... ..... .18

Configure domain member client distributed cache mode firewall rules .................................... ...20

Non-domain member client configuration for distributed cache mode ..........................................22

Enable BranchCache distributed cache mode using network shell commands ..................... .......22

Configure client computer distributed cache mode firewall rules .............................................. ....23

[MS-PCCRD]: Peer Content Caching and Retrieval Discovery Protocol...................................23

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................23

Deploy a hosted cache mode design ............................................................................................24

Configure client computers for hosted cache mode ......................................................................26

Use Group Policy to configure domain member clients for hosted cache mode ...........................26

Configure domain member client hosted cache mode firewall rules ............................................ .28

Non-domain member client configuration for hosted cache mode ................................................29

Enable BranchCache hosted cache mode using network shell commands ..................................29

Configure hosted cache mode firewall rules ............................................................................. ....30

[MS-PCCRR]: Peer Content Caching and Retrieval: Retrieval Protocol....................................31

[MS-PCHC]: Peer Content Caching and Retrieval: Hosted Cache Protocol..............................31

Install and configure the hosted cache server ...............................................................................31

Install the BranchCache feature ....................................................................................................32

Enable hosted cache server mode on a hosted cache server .......................................................33

Install the certification authority and enroll certificates to hosted cache servers ...........................34

Create the hosted cache servers group ........................................................................................34

Add hosted cache servers to the group .........................................................................................35

Install the certification authority (CA) ............................................................................................36

Configure the Web Server certificate template ..............................................................................37

Configure server certificate autoenrollment...................................................................................39

Refresh Group Policy ....................................................................................................................39

Obtain the SHA-1 hash of the hosted cache server certificate ......................................................40


5/42

Link the hosted cache server certificate to BranchCache ......................................................... ....41

Additional Resources ....................................................................................................................42


6/42

BranchCache Deployment Guide

BranchCache is a wide area network (WAN) bandwidth optimization technology that is included insome editions of the Windows Server 2008 R2 and Windows 7 operating systems.

For more information about operating systems that support BranchCache, see the

section Operating system versions for BranchCache in the topic BranchCache

Overview in the Windows Server 2008 and Windows Server 2008 R2 Technical Library

at http://go.microsoft.com/fwlink/?LinkId=167096.

To optimize WAN bandwidth, BranchCache copies content from your main office content servers

and caches the content at branch office locations, allowing client computers at branch offices to

access the content locally rather than over the WAN.At branch offices, content is cached either on servers that are running the BranchCache feature

of Windows Server 2008 R2 or, when no server is available in the branch office, on computers

running Windows 7. After a client computer requests and receives content from the main office

and the content is cached at the branch office, other computers at the same branch office can

obtain the content locally rather than contacting the main office over the WAN link.

What this guide provides

This deployment guide allows you to deploy BranchCache in the following modes:

Distributed cache mode. In this mode, branch office client computers download content

from the content servers in the main office and then cache the content for other computers inthe same branch office. Distributed cache mode does not require a server computer in the

branch office.

Hosted cache mode. In this mode, branch office client computers download content from

the content servers in the main office, and a hosted cache server retrieves the content from

the clients. The hosted cache server then caches the content for other client computers.

Hosted cache mode does require a server computer in the branch office, and there are

additional requirements.

This guide also provides instructions on how to deploy three types of content servers. Content

servers contain the source content that is downloaded by branch office client computers, and one

or more content server is required to deploy BranchCache in either mode. The content server

types are:

Web server-based content servers. These content servers send content to BranchCache

client computers using the HTTP and HTTPS protocols. These content servers must be

running Windows Server 2008 R2 versions that support BranchCache and upon which the

BranchCache feature is installed.

Note
http://go.microsoft.com/fwlink/?LinkId=167096http://go.microsoft.com/fwlink/?LinkId=167096http://go.microsoft.com/fwlink/?LinkId=167096http://go.microsoft.com/fwlink/?LinkId=167096


7/42

BITS-based application servers. These content servers send content to BranchCache

client computers using the Background Intelligent Transfer Service (BITS). These content

servers must be running Windows Server 2008 R2 versions that support BranchCache and

upon which the BranchCache feature is installed.

File server-based content servers. These content servers must be running Windows

Server 2008 R2 versions that support BranchCache and upon which the File Services server

role is installed. In addition, the BranchCache for network files role service of the File

Services server role must be installed and configured. These content servers send content to

BranchCache client computers using the Server Message Block (SMB) protocol.

What this guide does not provide

This guide does not provide conceptual information that explains BranchCache functionality. This

guide also does not contain information on how to plan and design a BranchCache deployment.

That information is included in other BranchCache documentation, which is in the

Windows Server 2008 and Windows Server 2008 R2 Technical Library at

http://go.microsoft.com/fwlink/?LinkId=162776.

Deploy BranchCache

See the following topics to deploy BranchCache.

The procedures in this guide do not include instructions for those cases in which the User

Account Control dialog box opens to request your permission to continue. If this dialog

box opens while you are performing the procedures in this guide, and if the dialog box

was opened in response to your actions, click Continue.

Deploy BranchCache in distributed cache modeTo deploy BranchCache in distributed cache mode, use the following topics.

Install and configure content servers

Deploy a distributed cache mode design

Deploy BranchCache in hosted cache modeTo deploy BranchCache in hosted cache mode, use the following topics. Install and configure content servers

Deploy a hosted cache mode design

For more information on the technologies used to deploy BranchCache, see Additional

Resources.

Note
http://go.microsoft.com/fwlink/?LinkId=162776http://go.microsoft.com/fwlink/?LinkId=162776


8/42


When you deploy BranchCache in distributed cache mode or hosted cache mode, you must

deploy one or more content servers at your main office. Content servers that are Web servers or

application servers use the BranchCache feature. Content servers that are file servers use the

BranchCache for network files role service of the File Services server role in Windows

Server 2008 R2.

See the following topics to deploy content servers.

Install content servers that use the BranchCache feature

Install File Services content servers

Install content servers that use the

BranchCache featureTo deploy content servers that are Secure Hypertext Transfer Protocol (HTTPS) 1.1 Web servers,

Hypertext Transfer Protocol (HTTP) 1.1 Web servers, and Background Intelligent Transfer service

(BITS)-based application servers, such as Windows Server Update Services (WSUS) and

System Center Configuration Manager branch distribution site system servers, you must install

the BranchCache feature, start the BranchCache service, and (for WSUS servers only) perform

additional configuration steps.


Install the BranchCache feature

Configure Windows Server Update Services (WSUS) content servers


You can use this procedure to install the BranchCache feature and start the BranchCache service

on a computer running Windows Server 2008 R2.

Membership in Administrators, or equivalent is the minimum required to perform this procedure.

1. Click Start, click Administrative Tools, and then click Server Manager. ServerManager opens.

2. In the Server Manager left pane, right-click Features, and then click Add Features.

The Add Features Wizard opens.

3. In the Add Features Wizard, in Features, select the BranchCache check box, and

then click Next.

To install and enable the BranchCache feature


9/42

4. In Confirm Installation Selections, review your choice and then click Install. The

Installation Progress pane is displayed during installation, and then the Installation

Results pane is displayed.

5. In Installation Results, review the summary and then click Close. The Add Features

Wizard closes.

6. In the Server Manager left pane, double-click Configuration, and then click

Services.

7. In the details pane, in Services, double-click BranchCache. The BranchCache

Properties dialog box opens.

8. In the BranchCache Properties dialog box, on the General tab, click Start to start

the BranchCache service, and then click OK.

Important

The BranchCache service startup type is Automatic, which means that the

BranchCache service starts whenever the computer is restarted. It is

recommended that you keep the startup type value set to Automatic.

Configure Windows Server Update Services(WSUS) content servers

After installing the BranchCache feature and starting the BranchCache service, WSUS servers

must be configured to store update files on the local computer. When you configure WSUS

servers to store update files on the local computer, both the update metadata and the update filesare downloaded by and stored directly upon the WSUS server. This ensures that BranchCache

client computers receive Microsoft product update files from the WSUS server rather than directly

from the Microsoft Update Web site.

To learn more about WSUS server configuration, see Advanced Synchronization Options for

WSUS on Microsoft TechNet at http://go.microsoft.com/fwlink/?LinkId=150597.

Install File Services content servers

To deploy content servers that are running the File Services server role, you must install the

BranchCache for network files role service of the File Services server role. In addition, you must

enable hash publication on the server, and enable BranchCache on file shares according to your

requirements.

Note


10/42

During the configuration of the content server, you can allow BranchCache publication of

content for all file shares or you can select a subset of file shares to publish.


Configure the File Services server role

Enable hash publication for non-domain member file servers

Enable BranchCache on a file share

Configure the File Services server role

You can deploy BranchCache file server-based content servers on computers running Windows

Server 2008 R2 and the File Services server role with the BranchCache for network files role

service installed.

To install a BranchCache content server on a computer that does not already have File

Services installed, see Install a new file server as a content server.

To install a BranchCache content server on a computer that is already configured with the

File Services server role, see Configure an existing file server as a content server.

Install a new file server as a content server

You can use this procedure to install the File Services server role and the BranchCache for

network files role service on a computer running Windows Server 2008 R2.


1. Click Start, click Administrative Tools, and then click Server Manager. Server

Manager opens.

2. In the Server Manager left pane, right-click Roles, and then click Add Roles. The

Add Roles Wizard opens. In Before You Begin, click Next.

3. In Select Server Roles, in Roles, select the File Services check box, and then click

Next.

4. In File Services, review the information, and then click Next.

5. In Select Role Services, in Role services, ensure that File Serveris selected. Also

select the BranchCache for network files check box, and then click Next.

6. In Confirm Installation Selections, review your selections, and then click Install.

The Installation Progress pane is displayed during installation, and then the

Installation Results pane is displayed. Review your results, and then click Close.

To install File Services and the BranchCache for network files role service


11/42

Configure an existing file server as a contentserver

You can use this procedure to install the BranchCache for network files role service of the FileServices server role on a computer running Windows Server 2008 R2.


If the File Services server role is not already installed, do not follow this procedure.

Instead, see Install a new file server as a content server


Manager opens.

2. In the Server Manager left pane, double-click Roles, right-click File Services, and

then click Add Role Services. The Add Role Services wizard opens.

3. In Select Role Services, select the BranchCache for network files check box, and

then click Next.

4. In Confirm Installation Selections, review your selections, and then click Install.

The Installation Progress pane is displayed during installation, and then the

Installation Results pane is displayed. Review your results, and then click Close.

Enable hash publication for file servers

You can enable BranchCache hash publication on one file server or on multiple file servers.

To enable hash publication on one file server using local computer Group Policy, see

Enable hash publication for non-domain member file servers.

To enable hash publication on multiple file servers using domain Group Policy, see

Enable hash publication for domain member file servers.

If you have multiple file servers and you want to enable hash publication per share, rather

than enabling hash publication for all shares, you can use the instructions in the topic

Enable hash publication for non-domain member file servers.

Important

To install the BranchCache for network files role service

Note


12/42

Enable hash publication for non-domainmember file servers

You can use this procedure to configure hash publication for BranchCache using local computerGroup Policy on a file server that is running Windows Server 2008 R2 with the BranchCache for

network files role service of the File Services server role installed. This procedure is intended for

use on a non-domain member file server. If you perform this procedure on a domain member file

server and you also configure BranchCache using domain Group Policy, domain Group Policy

settings override local Group Policy settings.


If you have one or more domain member file servers, you can add them to an

organizational unit (OU) in Active Directory Domain Services and then use Group Policyto configure hash publication for all of the file servers at one time, rather than individually

configuring each file server. For more information, see Enable hash publication for

domain member file servers.

1. Click Start, click Run, type mmc, and then press ENTER. The Microsoft

Management Console (MMC) opens.

2. In the MMC, on the File menu, click Add/Remove Snap-in. The Add or Remove

Snap-ins dialog box opens.

3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group PolicyObject Editor. The Group Policy Wizard opens with the Local Computer object selected.

Click Finish, and then click OK.

4. In the Local Group Policy Editor MMC, expand the following path: Computer

Configuration, Administrative Templates, Network, Lanman Server. Click Lanman

Server.

5. In the details pane, double-click Hash Publication for BranchCache. The Hash

Publication for BranchCache dialog box opens.

6. In the Hash Publication for BranchCache dialog box, click Enabled.

7. In Options, click Allow hash publication for all shared folder, and then click one

of the following:a. To enable hash publication for all shared folders on this computer, click Allow

hash publication for all shared folder.

b. To enable hash publication only for shared folders for which BranchCache is

enabled, click Allow hash publication only for shared folders on which

BranchCache is enabled.

Note

To enable hash publication for one file server


13/42

c. To disallow hash publication for all shared folders on the computer even if

BranchCache is enabled on the file shares, click Disallow hash publication on all

shared folders.

8. Click OK.

Enable hash publication for domain memberfile servers

When youre using Active Directory Domain Services (AD DS), you can use domain Group Policy

to enable BranchCache hash publication for multiple file servers. To do so, you must create an

organizational unit (OU), add file servers to the OU, create a BranchCache hash publication

Group Policy object (GPO), and then configure the GPO.

See the following topics to enable hash publication for multiple file servers.

Create the BranchCache file servers organizational unit

Move file servers to the BranchCache file servers organizational unit

Create the BranchCache hash publication Group Policy object

Configure the BranchCache hash publication Group Policy object

Create the BranchCache file servers

organizational unitYou can use this procedure to create an organizational unit (OU) in Active Directory Domain

Services (AD DS) for BranchCache file servers.

Membership in Domain Admins, or equivalent is the minimum required to perform this

procedure.

1. On a computer where AD DS is installed, click Start, click Administrative Tools, and

then click Active Directory Users and Computers. The Active Directory Users and

Computers console opens.

2. In the Active Directory Users and Computers console, right-click the domain to which

you want to add an OU. For example, if your domain is named example.com, right click

example.com. Point to New, and then click Organizational Unit. The New Object

Organizational Unit dialog box opens.

3. In the New Object Organizational Unit dialog box, in Name, type a name for the

new OU. For example, if you want to name the OU BranchCache file servers, type

To create the BranchCache file servers organizational unit


14/42

BranchCache file servers, and then click OK.

Move file servers to the BranchCache fileservers organizational unit

You can use this procedure to add BranchCache file servers to an organizational unit (OU) in

Active Directory Domain Services (AD DS).


procedure.

You must create a BranchCache file servers OU in the Active Directory Users andComputers console before you add computer accounts to the OU with this procedure. For

more information, seeCreate the BranchCache file servers organizational unit.

1. On a computer where AD DS is installed, click Start, click Administrative Tools, and

then click Active Directory Users and Computers. The Active Directory Users and

Computers console opens.

2. In the Active Directory Users and Computers console, locate the computer account

for a BranchCache file server, left-click to select the account, and then drag and drop the

computer account on the BranchCache file servers OU that you previously created. Forexample, if you previously created an OU named BranchCache file servers, drag and

drop the computer account on the BranchCache file servers OU.

3. Repeat the previous step for each BranchCache file server in the domain that you

want to move to the OU.

Create the BranchCache hash publication

Group Policy objectYou can use this procedure to create the BranchCache hash publication Group Policy object

(GPO).


procedure.

Note

To move file servers to the BranchCache file servers organizational unit


15/42

Before performing this procedure, you must create the BranchCache file servers

organizational unit and move file servers into the OU. For more information, see Enable

hash publication for domain member file servers.





3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy

Management, and then click OK.

4. In the Group Policy Management MMC, expand the path to the BranchCache file

servers OU that you previously created. For example, if your forest is named

example.com, your domain is named example1.com, and your OU is named

BranchCache file servers, expand the following path: Group Policy Management,

Forest: example.com, Domains, example1.com, Group Policy Objects.

5. Right-click Group Policy Objects, and then click New. The New GPO dialog box

opens. In Name, type a name for the new Group Policy object (GPO). For example, if you

want to name the object BranchCache Hash Publication, type BranchCache Hash

Publication. Click OK.

6. In the Group Policy Management MMC, right-click the BranchCache file servers

organizational unit (OU) that you created previously. For example, if your OU is named

BranchCache file servers, right-click BranchCache file servers, and then click Link anExisting GPO. The Select GPO dialog box opens.

7. In the Select GPO dialog box, in Group Policy objects, click the BranchCache hash

publication GPO that you created earlier in this procedure. For example, if your GPO is

named BranchCache Hash Publication, click BranchCache Hash Publication. Click OK.

Configure the BranchCache hash publicationGroup Policy object

You can use this procedure to configure the BranchCache hash publication Group Policy object

(GPO).


procedure.

Note

To create the BranchCache hash publication Group Policy object


16/42

Before performing this procedure, you must create the BranchCache file servers

organizational unit, move file servers into the OU, and create the BranchCache hash

publication Group Policy object (GPO). For more information, see Enable hashpublication for domain member file servers.





3. In Add or Remove Snap-ins, in Available snap-ins, double-click Group Policy

Management, and then click OK.

4. In the Group Policy Management MMC, expand the path to the BranchCache hash

publication GPO that you previously created. For example, if your forest is named

example.com, your domain is named example1.com, and your GPO is named

BranchCache Hash Publication, expand the following path: Group Policy

Management, Forest: example.com, Domains, example1.com, Group Policy

Objects, BranchCache Hash Publication.

5. Right-click the BranchCache Hash Publication GPO and click Edit. The Group

Policy Management Editor console opens.

6. In the Group Policy Management Editor console, expand the following path:

Computer Configuration, Policies, Administrative Templates, Network, Lanman

Server.7. In the Group Policy Management Editor console, click Lanman Server. In the details

pane, double-click Hash Publication for BranchCache. The Hash Publication for

BranchCache dialog box opens.

8. In the Hash Publication for BranchCache dialog box, click Enabled.

9. In Options, click Allow hash publication for all shared folder, and then click one

of the following:

a. To enable hash publication for all shared folders on this computer, click Allow

hash publication for all shared folder.

b. To enable hash publication only for shared folders for which BranchCache is

enabled, click Allow hash publication only for shared folders on whichBranchCache is enabled.

c. To disallow hash publication for all shared folders on the computer even if

BranchCache is enabled on the file shares, click Disallow hash publication on all

shared folders.

10. Click OK.

Note

To configure the BranchCache hash publication Group Policy object


17/42

In most cases, you must save the MMC console and refresh the view to display the

configuration changes you have made.

Enable BranchCache on a file share

You can use this procedure to enable BranchCache on a file share.


procedure.

To make shared content available to BranchCache client computers, you must enable

BranchCache on the file share and the hash publication setting in Group Policy must beset to eitherAllow hash publication only for shared folders on which BranchCache

is enabled orAllow hash publication for all shared folder.

1. Click Start, click Administrative Tools, and then click Share and Storage

Management. The Share and Storage Management console opens.

2. In the details pane, on the Shares tab, right-click a share, and then click Properties.

The shares Properties dialog box opens.

3. In the Properties dialog box, on the Sharing tab, click Advanced.

4. Click the Caching tab, ensure that Only the files and programs that users specify

are available offline is selected, and then click Enable BranchCache.

5. Click OK twice.

Deploy a distributed cache mode design

When you deploy BranchCache in distributed cache mode for a branch office, a hosted cache

server is not required at the branch office.

Client computers that are running either Windows 7 Enterprise or Windows 7 Ultimate are

installed at the branch office. These clients download content from content servers that are

installed at the main office; and after downloading content, the client computers act as client

cache servers by providing the content to other clients in the same branch office upon request.

To deploy BranchCache in distributed cache mode, you must install and configure content servers

in your main office and install and configure client computers in your branch office. In addition,

Note

Note

To enable BranchCache on a file share


18/42

client computers at branch offices must be able to access the main office content servers over

some type of wide area network (WAN) link, such as a dedicated or on-demand virtual private

network (VPN) connection between the offices; or clients must use some other method to connect

to the content servers, such as by using DirectAccess.

See the following topics to deploy BranchCache in distributed cache mode. Install and configure content servers

Configure client computers for distributed cache mode

Configure client computers for distributedcache mode

You can use the procedures in this section to configure client computers for BranchCache when

you deploy distributed cache mode. Client computers running Windows 7 have BranchCache

installed by default, however you must enable and configure BranchCache and configure firewall

exceptions.

See the following topics to perform these actions.

Use Group Policy to configure domain member clients for distributed cache mode

Configure domain member client distributed cache mode firewall rules

Non-domain member client configuration for distributed cache mode

When distributed cache mode clients are connecting to main office resources using

DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCachetraffic. Use the inbound and outbound rule settings provided in the topic Configure client

computer distributed cache mode firewall rules to create IPsec rules.

Use Group Policy to configure domainmember clients for distributed cache mode

You can use this procedure to configure Group Policy to enable and configure BranchCache

distributed cache mode on domain-joined client computers.

Membership in Domain Admins, or equivalent is the minimum required to perform thisprocedure.

1. On a computer upon which the Active Directory Domain Services server role is

installed, click Start, click Administrative Tools, and click Group Policy Management.

Note

To use Group Policy to configure clients for distributed cache mode


19/42

The Group Policy Management console opens.

2. In the Group Policy Management console, expand the following path: Forest:

example.com, Domains, example.com, Group Policy Objects, where example.com is

the name of the domain where the BranchCache client computer accounts that you want

to configure are located.



want to name the object BranchCache Client Computers, type BranchCache Client

Computers. Click OK.

4. In the Group Policy Management console, ensure that Group Policy Objects is

selected, and in the details pane right-click the GPO that you just created. For example, if

you named your GPO BranchCache Client Computers, right-click BranchCache Client

Computers. Click Edit. The Group Policy Management Editor console opens.


Computer Configuration, Policies, Administrative Templates: Policy definitions(ADMX files) retrieved from the local machine, Network, BranchCache.

6. Click BranchCache, and then in the details pane, double-click Turn on

BranchCache. The Turn on BranchCache dialog box opens.

7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.

8. In the Group Policy Management Editor console, ensure that BranchCache is still

selected, and then in the details pane double-click Set BranchCache Distributed Cache

mode. The Set BranchCache Distributed Cache mode dialog box opens.

9. In the Set BranchCache Distributed Cache mode dialog box, click Enabled, and

then click OK.

10. To configure the amount of hard disk space allocated on each client computer for theBranchCache cache: In the Group Policy Management Editor console, ensure that

BranchCache is still selected, and then in the details pane double-click Set percentage

of disk space used for client computer cache. The Set percentage of disk space

used for client computer cache dialog box opens. Click Enabled, and then in Options

type a numeric value that represents the percentage of hard disk space used on each

client computer for the BranchCache cache.

11. To enable client computers to download and cache content from BranchCache file

server-based content servers: In the Group Policy Management Editor console, ensure

that BranchCache is still selected, and then in the details pane double-click

BranchCache for network files. The Configure BranchCache for network files dialog

box opens.

12. In the Configure BranchCache for network files dialog box, click Enabled. In

Options, type a numeric value, in milliseconds, for the maximum round trip network

latency time, and then click OK.

Note


20/42

By default, client computers cache content from file servers if the round trip

network latency is longer than 80 milliseconds.

Configure domain member client distributedcache mode firewall rules

When you configure BranchCache in distributed cache mode, BranchCache client computers use

the Hypertext Transfer Protocol (HTTP) for data transfer with other client computers.

BranchCache client computers also use the Web Services Dynamic Discovery (WS-Discovery)

protocol when they attempt to discover content on client cache servers. You can use this

procedure to configure client firewall exceptions to allow incoming HTTP and WS-Discovery traffic

on client computers that are configured for distributed cache mode.

The HTTP inbound and outbound firewall exceptions created with this procedure have

the following settings: TCP port 80. The WS-Discovery inbound and outbound firewall

exceptions created with this procedure have the following settings: UDP port 3702.


procedure.

1. On a computer upon which the Active Directory Domain Services server role isinstalled, click Start, click Administrative Tools, and click Group Policy Management.







selected, and in the details pane right-click the BranchCache client computers GPO that

you created previously. For example, if you named your GPO BranchCache Client

Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy

Management Editor console opens.


Computer Configuration, Policies, Windows Settings, Security Settings, Windows

Firewall with Advanced Security, Windows Firewall with Advanced Security

LDAP, Inbound Rules.

5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard

Note

To configure distributed cache mode client firewall exceptions


21/42

opens.

6. In Rule Type, click Predefined, expand the list of choices, and then click

BranchCache Content Retrieval (Uses HTTP). Click Next.

7. In Predefined Rules, click Next.

8. In Action, ensure that Allow the connection is selected, and then click Finish.

Important

You must select Allow the connection for the BranchCache client to be able to

receive traffic on this port.

9. To create the WS-Discovery firewall exception, again right-click Inbound Rules, and

then click New Rule. The New Inbound Rule Wizard opens.


BranchCache Peer Discovery (Uses WSD). Click Next.



Important



13. In the Group Policy Management Editor console, right-click Outbound Rules, and

then click New Rule. The New Outbound Rule Wizard opens.





Important


send traffic on this port.

17. To create the WS-Discovery firewall exception, again right-click Outbound Rules,

and then click New Rule. The New Outbound Rule Wizard opens.


BranchCache Peer Discovery (Uses WSD). Click Next.



Important




22/42

Non-domain member client configuration fordistributed cache mode

Using Group Policy to automate the configuration of BranchCache client computers for distributedcache mode is recommended, however you can also manually configure individual computers. In

addition, you can use these topics to configure non-domain member computers.

See the following topics to manually configure BranchCache client computers.

Enable BranchCache distributed cache mode using network shell commands

Configure client computer distributed cache mode firewall rules

Enable BranchCache distributed cache modeusing network shell commands

You can use this procedure to manually configure a BranchCache client computer for distributed

cache mode using network shell (netsh) commands.

If you have configured BranchCache client computers using Group Policy, the Group

Policy settings override any manual configuration of client computers to which the

policies are applied.


1. On the BranchCache client computer that you want to configure, click Start, click

Search programs and files, and then type command. In search results, under

Programs, right-click Command Prompt, and then click Run as Administrator. The

command prompt opens with the elevated privileges that are required to run netsh

commands.

2. Run the following command: netsh branchcache set service mode=DISTRIBUTED

Note

Running the netsh branchcache set service command both configures the

client computer for distributed cache mode and automatically configures theclient computer firewall with the following inbound exceptions for distributed

cache mode: TCP port 80 and UDP port 3702.


server-based content servers, run the following command: netsh branchcache smb set

latency latency=Number, where Numberis a numeric value, in milliseconds, for the

Note

To enable BranchCache distributed cache mode using network shell commands


23/42

maximum round trip network latency time.

Configure client computer distributed cachemode firewall rules

You can use the information in this topic to configure third party firewall products and to manually

configure a client computer with firewall rules that allow BranchCache to run in distributed cache

mode.


Policy settings override any manual configuration of client computers to which the policies areapplied.

If you have deployed BranchCache with DirectAccess, you can use the settings in this

topic to configure IPsec rules to allow BranchCache traffic.

Membership in Administrators, or equivalent is the minimum required to make these

configuration changes.

[MS-PCCRD]: Peer Content Caching and RetrievalDiscovery Protocol

Distributed cache clients must allow inbound and outbound MS-PCCRD traffic, which is carried inthe Web Services Dynamic Discovery (WS-Discovery) protocol.

Firewall settings must allow multicast traffic in addition to inbound and outbound traffic. You can

use the following settings to configure firewall exceptions for distributed cache mode.

IPv4 multicast: 239.255.255.250

IPv6 multicast: FF02::C

Inbound traffic: Local port: 3702, Remote port: ephemeral

Outbound traffic: Local port: ephemeral, Remote port: 3702

Program: %systemroot%\system32\svchost.exe (BranchCache Service [PeerDistSvc])

[MS-PCCRR]: Peer Content Caching and Retrieval:Retrieval Protocol

Distributed cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in

the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.

Notes


24/42

Firewall settings must allow inbound and outbound traffic. You can use the following settings to

configure firewall exceptions for distributed cache mode.



Deploy a hosted cache mode design

When you deploy BranchCache in hosted cache mode for a branch office, a hosted cache server

is installed at the branch office.

Client computers that are running either Windows 7 Enterprise or Windows 7 Ultimate are also

installed at the branch office. These clients download content from content servers that are

installed at the main office; and after content is downloaded, the hosted cache server obtains and

caches the content, providing the content to other clients in the same branch office upon request.

To deploy BranchCache in hosted cache mode, you must install and configure content servers inyour main office and install and configure a hosted cache server and client computers in your

branch office. In addition, client computers at branch offices must be able to access the main

office content servers over some type of wide area network (WAN) link, such as a dedicated or

on-demand virtual private network (VPN) connection between the offices; or clients must use

some other method to connect to the content servers, such as by using DirectAccess.

BranchCache is compatible only with VPN software that supports split tunneling. Do not

enable hosted cache mode on client computers in a branch office if these clients use

host-based VPN software that does not support split tunneling. If the VPN software does

not support split tunneling, client computers route traffic through the main office VPN

servers when downloading from the local hosted cache, which will create unnecessary

WAN link traffic and network congestion.

Finally, you must enroll a server certificate to your hosted cache server that the server uses to

prove its identity to client computers in the branch office. After the hosted cache server enrolls a

certificate, you must obtain the SHA-1 hash of the certificate and link the certificate to

BranchCache.

The server certificate that is enrolled to hosted cache servers must be issued by a

certification authority (CA) that is trusted by client computers. If client computers do not

trust the CA that issued the certificate to the hosted cache server, authentication fails and

the client computers will not be able to obtain content from the hosted cache server.

CAs and certificates

You can deploy server certificates with either a public CA or with a private CA that you own and

deploy.

Important

Note


25/42

Public CAs are deployed by third party companies, such as Verisign, who sell certificates

for use by their customers. This guide does not describe how to deploy hosted cache mode

with certificates that are issued by a public CA, but it is possible if you ensure that the

certificates meet the minimum server certificate requirements and are configured in

accordance with the Web Server certificate template as described in this guide. In addition,

before purchasing a server certificate issued by a public CA, you should ensure that

BranchCache client computers already trust the public CA.

Private CAs are deployed by organizations who design and deploy a public key

infrastructure (PKI). This guide provides instructions on how to deploy your own CA using

Active Directory Certificate Services (AD CS).

This guide does not provide instructions on how to design a PKI, and you should review

AD CS documentation before deploying your own CA. For more information, see

Additional Resources.

There are two types of certificates that are used when you deploy BranchCache in hosted cache

mode:

CA certificate. When you deploy your own CA, the root CA certificate is automatically

distributed to client computers that are domain members. The certificate is stored in the

Trusted Root Certification Authorities certificate store for the Local Computer and for the

Current User. These certificate stores can be viewed by using the Certificates Microsoft

Management Console (MMC) snap-in. When a CA certificate exists in the Trusted Root

Certification Authorities certificate store, it means that the computer trusts all certificates that

are issued by the CA.

Server certificate. The server certificate is issued by the CA to the hosted cache server.

The hosted cache server uses the certificate to prove its identity to client computers during

the authentication process.

Hosted cache mode

See the following topics to deploy BranchCache in hosted cache mode.


Configure client computers for hosted cache mode

Install the certification authority and enroll certificates to hosted cache servers

Obtain the SHA-1 hash of the hosted cache server certificate

Link the hosted cache server certificate to BranchCache

Note


26/42

Configure client computers for hosted cachemode

You can use the procedures in this section to configure client computers for BranchCache whenyou deploy hosted cache mode. Client computers running some versions of Windows 7 have

BranchCache installed by default, however you must enable and configure BranchCache and

configure firewall rules on client computers.


Use Group Policy to configure domain member clients for hosted cache mode

Configure domain member client hosted cache mode firewall rules

Non-domain member client configuration for hosted cache mode

When hosted cache mode clients are connecting to main office resources using

DirectAccess, ensure that Internet Protocol security (IPsec) rules allow BranchCache

traffic. Use the inbound and outbound rule settings provided in the topic Configure hosted

cache mode firewall rules to create IPsec rules.

Use Group Policy to configure domainmember clients for hosted cache mode

With this procedure you can use Group Policy to enable and configure BranchCache distributed

cache mode on domain-joined client computers.


procedure.










want to name the object BranchCache Client Computers, type BranchCache Client

Computers. Click OK.

Note

To use Group Policy to configure clients for hosted cache mode


27/42


selected, and in the details pane right-click the GPO that you just created. For example, if

you named your GPO BranchCache Client Computers, right-click BranchCache Client

Computers. Click Edit. The Group Policy Management Editor console opens.

5. In the Group Policy Management Editor console, expand the following path:Computer Configuration, Policies, Administrative Templates: Policy definitions

(ADMX files) retrieved from the local machine, Network, BranchCache.

6. Click BranchCache, and then in the details pane, double-click Turn on

BranchCache. The Turn on BranchCache dialog box opens.

7. In the Turn on BranchCache dialog box, click Enabled, and then click OK.

8. In the Group Policy Management Editor console, ensure that BranchCache is still

selected, and then in the details pane double-click Set BranchCache Hosted Cache

mode. The Set BranchCache Hosted Cache mode dialog box opens.

9. In the Set BranchCache Hosted Cache mode dialog box, click Enabled. In Enter

the location of hosted cache, type the fully qualified domain name (FQDN) of thehosted cache server, and then click OK.

10. To configure the amount of hard disk space allocated on each client computer for the

BranchCache cache: In the Group Policy Management Editor console, ensure that

BranchCache is still selected, and then in the details pane double-click Set percentage

of disk space used for client computer cache. The Set percentage of disk space

used for client computer cache dialog box opens. Click Enabled, and then in Options

type a numeric value that represents the percentage of hard disk space used on each

client computer for the BranchCache cache.


server-based content servers: In the Group Policy Management Editor console, ensure

that BranchCache is still selected, and then in the details pane double-click

BranchCache for network files. The Configure BranchCache for network files dialog

box opens.

12. In the Configure BranchCache for network files dialog box, click Enabled. In

Options, type a numeric value, in milliseconds, for the maximum round trip network

latency time, and then click OK.

Note

By default, client computers cache content from file servers if the round trip

network latency is longer than 80 milliseconds.


28/42

Configure domain member client hostedcache mode firewall rules

When you configure BranchCache in hosted cache mode, BranchCache client computers use theHypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) for data transfer with other client

computers. You can use this procedure to configure client firewall inbound and outbound rules to

allow HTTP and HTTPS traffic on client computers that are configured for hosted cache mode.

The HTTP inbound and outbound firewall rules that are created with this procedure have

the following settings: TCP port 80. The HTTPS outbound firewall exception created with

this procedure has the following setting: TCP port 443.


procedure.








3. In the Group Policy Management console, ensure that Group Policy Objects isselected, and in the details pane right-click the BranchCache client computers GPO that

you created previously. For example, if you named your GPO BranchCache Client

Computers, right-click BranchCache Client Computers. Click Edit. The Group Policy

Management Editor console opens.


Computer Configuration, Policies, Windows Settings, Security Settings, Windows

Firewall with Advanced Security, Windows Firewall with Advanced Security

LDAP, Inbound Rules.

5. Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard

opens.





Important

Note

To configure hosted cache mode client firewall exceptions


29/42









Important





14. In Rule Type, click Predefined, expand the list of choices, and then clickBranchCache Hosted Cache Client (Uses HTTPS). Click Next.



Important



Non-domain member client configuration forhosted cache mode

Using Group Policy to automate the configuration of BranchCache client computers for hosted

cache mode is recommended, however you can also manually configure individual computers.

See the following topics to manually configure BranchCache client computers.

Enable BranchCache hosted cache mode using network shell commands

Configure hosted cache mode firewall rules

Enable BranchCache hosted cache modeusing network shell commands

You can use this procedure to manually configure a BranchCache client computer for hosted

cache mode using network shell (netsh) commands. Running the command below configures the


30/42

client computer for hosted cache mode and automatically configures the client computer firewall

with the following inbound exception for hosted cache mode: TCP port 80.


Policy settings override any manual configuration of client computers to which the

policies are applied.


1. On the BranchCache client computer that you want to configure, click Start, click

Search programs and files, and then type command. In search results, under

Programs, right-click Command Prompt, and then click Run as Administrator. The


commands.

2. Run the following command: netsh branchcache set service

mode=HOSTEDCLIENT location=HostedCacheName, where HostedCacheName is the

fully qualified domain name of the hosted cache server.

Note

If the hosted cache server and client computers are not joined to an Active

Directory domain, set client authentication to NONE using the additional

clientauthentication parameter in this command: Netsh branchcache set

service mode=HOSTEDSERVER

location=HostedCacheNameclientauthentication=NONE

Configure hosted cache mode firewall rules

You can use the information in this topic to configure third party firewall products and to manually

configure a client computer or a hosted cache server in a branch office with firewall rules that

allow BranchCache to run in hosted cache mode.


Policy settings override any manual configuration of client computers to which the policies are

applied.

If you have deployed BranchCache with DirectAccess, you can use the settings in this

topic to configure IPsec rules to allow BranchCache traffic.

Note

To enable BranchCache hosted cache mode using network shell commands

Notes


31/42

Membership in Administrators, or equivalent is the minimum required to perform firewall

configuration changes.

[MS-PCCRR]: Peer Content Caching and Retrieval:Retrieval Protocol

Hosted Cache clients must allow inbound and outbound MS-PCCRR traffic, which is carried in

the HTTP 1.1 protocol as documented in request for comments (RFC) 2616.

Firewall settings must allow inbound, outbound, and program traffic. You can use the following

settings to configure firewall exceptions for hosted cache mode.



[MS-PCHC]: Peer Content Caching and Retrieval:Hosted Cache Protocol

Hosted Cache clients must allow inbound and outbound MS-PCHC traffic, which is carried in the

HTTP 1.1 over TLS (HTTPs) protocol as documented in request for comments (RFC) 2818.

Firewall settings must enable outbound traffic. You can use the following settings to configure

firewall exceptions for hosted cache mode.


Install and configure the hosted cache server

When you deploy BranchCache in hosted cache mode for one or more branch offices, you must

install a hosted cache server in each branch office. You can use an existing application server as

a hosted cache server if you upgrade the server to one of the following operating systems:

Windows Server 2008 R2 Enterprise

Windows Server 2008 R2 Enterprise with Hyper-V

Windows Server 2008 R2 Enterprise Core Install

Windows Server 2008 R2 Enterprise Core Install with Hyper-V

Windows Server 2008 R2 for Itanium-Based Systems

Windows Server 2008 R2 Datacenter

Windows Server 2008 R2 Datacenter with Hyper-V

Windows Server 2008 R2 Datacenter Core Install with Hyper-V

To deploy a hosted cache server, you must install and enable the BranchCache feature, enable

hosted cache mode, and configure firewall exceptions to allow communication between the

hosted cache server and client computers in the branch office.


32/42

By default, the cache on the hosted cache server is configured to use 5% of the hard disk

space on the local hard disk. If you want to change the size of the cache, you can use the

netsh branchcache set cachesize command, which specifies the size of the local cacheas either a percentage of the size of the hard disk where the cache is located or as an

exact number of bytes. For more information, see Additional Resources.

See the following topics to install and configure the hosted cache server.


Enable hosted cache server mode on a hosted cache server

When you enable hosted cache mode using the netsh branchcache set service

command as described in the topic Enable hosted cache server mode on a hosted cache

server, the firewall on the hosted cache server is automatically configured with the correct

exceptions for hosted cache mode. You do not need to make additional configuration to

the firewall, however the topicConfigure hosted cache mode firewall rulesis provided for

reference.


You can use this procedure to install the BranchCache feature and start the BranchCache service

on a computer running Windows Server 2008 R2.



Manager opens.

2. In the Server Manager left pane, right-click Features, and then click Add Features.

The Add Features Wizard opens.

3. In the Add Features Wizard, in Features, select the BranchCache check box, and

then click Next.

4. In Confirm Installation Selections, review your choice and then click Install. The

Installation Progress pane is displayed during installation, and then the InstallationResults pane is displayed.

5. In Installation Results, review the summary and then click Close. The Add Features

Wizard closes.

6. In the Server Manager left pane, double-click Configuration, and then click

Services.

Note

Note

To install and enable the BranchCache feature


33/42

7. In the details pane, in Services, double-click BranchCache. The BranchCache

Properties dialog box opens.

8. In the BranchCache Properties dialog box, on the General tab, click Start to start

the BranchCache service, and then click OK.

Important

The BranchCache service startup type is Automatic, which means that the

BranchCache service starts whenever the computer is restarted. It is

recommended that you keep the startup type value set to Automatic.

Enable hosted cache server mode on ahosted cache server

You can use this procedure to manually configure a BranchCache hosted cache server for hosted

cache mode using network shell (netsh) commands. Running the command below both

configures the server for hosted cache mode and automatically configures the firewall with the

following inbound exceptions for hosted cache mode: TCP port 80 and TCP port 443.


procedure.

1. On the BranchCache hosted cache server that you want to configure, click Start,

click Search programs and files, and then type command. In search results, underPrograms, right-click Command Prompt, and then click Run as Administrator. The


commands.

2. Run the following command: netsh branchcache set service

mode=HOSTEDSERVER.

Note

If the hosted cache server and client computers are not joined to an Active

Directory domain, set client authentication to NONE using the additional

clientauthentication parameter in this command: Netsh branchcache set

service mode=HOSTEDSERVER clientauthentication=NONE

To enable hosted cache mode on a hosted cache server


34/42

Install the certification authority and enrollcertificates to hosted cache servers

When you deploy BranchCache in hosted cache mode, you must enroll server certificates tohosted cache servers.

You can use the following topics to create a hosted cache servers group in Active Directory Users

and Computers, add hosted cache servers to the group, install an enterprise root certification

authority using Active Directory Certificate Services (AD CS), and then configure the automatic

distribution, or autoenrollment, of server certificates to hosted cache servers.


Create the hosted cache servers group

Add hosted cache servers to the group

Install the certification authority (CA)

Configure the Web Server certificate template

Configure server certificate autoenrollment

Refresh Group Policy

When you deploy a public key infrastructure (PKI), you should also configure certificate

revocation and publish a certificate revocation list (CRL).

If your BranchCache deployment includes only one or two hosted cache servers and you

prefer not to use autoenrollment, you can use the Certificates Microsoft Management

Console (MMC) snap-in to manually enroll server certificates to hosted cache servers.

For more information, see Additional Resources.

Create the hosted cache servers group

You can use this procedure to create a new Hosted Cache Servers group in Active Directory

Users and Computers Microsoft Management Console (MMC).

Membership in Domain Admins, or equivalent, is the minimum required to perform this

procedure.

1. Click Start, click Administrative Tools, and then click Active Directory Users and

Computers. The Active Directory Users and Computers MMC opens. If it is not already

selected, click the node for your domain. For example, if your domain is example.com,

click example.com.

Notes

To add a Hosted Cache Servers group


35/42

2. In the details pane, right-click the folder in which you want to add a new group.

Where?

Active Directory Users and Computers/domain node/folder

3. Point to New, and then click Group.

4. In New Object Group, in Group name, type the name of the new group. For

example, type Hosted Cache Servers.

By default, the name you type is also entered as the pre-Windows 2000 name of the new

group.

5. In Group scope, select one of the following options:

Domain local

Global

Universal

6. In Group type, select one of the following options:

Security

Distribution

7. Click OK.

Add hosted cache servers to the group

You can use this procedure to assign group membership to BranchCache hosted cache servers

using the Active Directory Users and Computers Microsoft Management Console (MMC).


procedure.

1. Click Start, click Administrative Tools, and then click Active Directory Users and

Computers. The Active Directory Users and Computers MMC opens. If it is not already

selected, click the node for your domain. For example, if your domain is example.com,

click example.com.

2. In the details pane, double-click the folder that contains the Hosted Cache Servers

group to which you want to add a member.

Where?

Active Directory Users and Computers/domain node/folder that contains the

group

3. In the details pane, right-click the group to which you want to add a member, and

then click Properties. The group Properties dialog box opens. Click the Members tab.

To add hosted cache servers to the Hosted Cache Servers group


36/42

4. On the Members tab, click Add.

5. In Enter the object names to select, type the name of the hosted cache server that

you want to add, and then click OK.

6. To assign group membership to other hosted cache servers, repeat steps 4 and 5 of

this procedure.

Install the certification authority (CA)

You can use this procedure to install Active Directory Certificate Services (AD CS) so that you

can enroll a server certificate to hosted cache servers.

To perform this procedure, the computer on which you are installing AD CS must be

joined to a domain where Active Directory Domain Services (AD DS) is installed.

Membership in both the Enterprise Admins and the root domain's Domain Admins group is the

minimum required to complete this procedure.

1. Log on as a member of both the Enterprise Admins group and the root domain's

Domain Admins group.

2. Click Start, click Administrative Tools, and then click Server Manager. The Server

Manager console opens. In Roles Summary, click Add roles.3. The Add Roles Wizard opens. Click Next.

4. On the Select Server Roles page, in Roles, select Active Directory Certificate

Services, and then click Next twice.

5. On the Select Role Services page, in Role services, verify that Certification

Authority is selected, and then click Next.

6. On the Specify Setup Type page, verify that Enterprise is selected, and then click

Next.

7. On the Specify CA Type page, verify that Root CA is selected, and then click Next.

8. On the Set Up Private Key page, verify that Create a new private key is selected,

and then click Next.

9. On the Configure Cryptography for CA page, keep the default settings for CSP

(RSA#Microsoft Software Key Storage Provider) and hash algorithm (sha1), and

determine the best key character length for your deployment. Large key character lengths

provide optimal security; however, they can impact server performance. It is

recommended that you keep the default setting of 2048 or, if you deem it appropriate for

Important

To install Active Directory Certificate Services


37/42

your deployment, reduce Key character length to 1024. Click Next.

10. On the Configure CA Name page, keep the suggested common name for the CA or

change the name according to your requirements, and then click Next.

11. On the Set Validity Period page, in Select validity period for the certificate

generated for this CA, type the number and select a time value (Years, Months, Weeks,

or Days). The default setting of five years is recommended. Click Next.

12. On the Configure Certificate Database page, in Certificate database location and

Certificate database log location, specify the folder location for these items. If you

specify locations other than the default locations, ensure that the folders are secured with

access control lists (ACLs) that prevent unauthorized users or computers from accessing

the CA database and log files.

13. Click Next, click Install, and then click Close.

Configure the Web Server certificatetemplate

You can use this procedure to configure the certificate template that Active Directory Certificate

Services (AD CS) uses as the basis for computer certificates that are enrolled to hosted cache

server computers.



1. On the computer where AD CS is installed, click Start, click Run, type mmc, and

then click OK.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins

dialog box opens.

3. In the Add or Remove Snap-ins dialog box, in Available snap-ins, double-click

Certification Authority. Select the CA that you want to manage, and then click Finish.

The Certification Authority dialog box closes, returning you to the Add or Remove

Snap-ins dialog box.

4. In Available snap-ins, double-click Certificate Templates, and then click OK.5. In the console tree, click the Certificate Templates snap-in. All of the certificate

templates are displayed in the details pane.

6. In the details pane, click the Web Servertemplate.

7. On the Action menu, click Duplicate Template. In the Duplicate Template dialog

box, select the template version that is appropriate for your deployment. For client and

To configure the certificate template and autoenrollment


38/42

server interoperability reasons, it is recommended that you select Windows Server 2003

Enterprise.

8. Click OK. The Properties dialog box for the certificate template opens.

9. On the General tab, in Display Name, type a new name for the certificate template

or keep the default name, Copy of Web Server.

10. Click the Subject Name tab. Ensure that Build from this Active Directory

information is selected. In Subject name format, select DNS name.

11. Click the Request Handling tab. ForMinimum key size, determine the best key

character length for your deployment. Large key character lengths provide optimal

security, but they can impact server performance. It is recommended that you keep the

default setting of 2048 or, if you deem it appropriate for your deployment, reduce

Minimum key size to 1024.

12. Click the Security tab. In Group or user names, click Add. The Select Users,

Computers, Service Accounts, or Groups dialog box opens.

13. In Select Users, Computers, Service Accounts, or Groups, type the name of the

group that you created for your hosted cache servers, and then click OK. For example,

type Hosted Cache Servers.

14. In Properties of New Template, in Group or User Names, click the name of the

group you just added. For example, if your group is named Hosted Cache Servers, click

that group.

15. In Properties of New Template, in Permissions for Hosted Cache Servers, under

Allow, select the Enroll and Autoenroll permission check boxes, and then click OK.

Note: If your group name is not Hosted Cache Servers, this section of the dialog box is

named Permissions for Group Name, where Group Name is the name of the hosted

cache servers group that you created.16. In the left pane of the Microsoft Management Console (MMC), double-click

Certification Authority, double-click the CA name, and then click Certificate

Templates. On the Action menu, point to New, and then click Certificate Template to

Issue. The Enable Certificate Templates dialog box opens.

17. Click the name of the certificate template you just configured, and then click OK. For

example, if you did not change the default certificate template name, click Copy of Web

Server, and then click OK.


39/42

Configure server certificate autoenrollment

Before you perform this procedure, you must configure a server certificate template by



1. On the computer where Active Directory Domain Services is installed, click Start,

click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins

dialog box opens.

3. In Available snap-ins, scroll down to and double-click Group Policy Management

Editor, and then click OK. The Group Policy Wizard opens.

4. In Group Policy Object, click Browse. The Browse for a Group Policy Object

dialog box opens.

5. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy,

and then click OK.

6. Click Finish, and then click OK.

7. Double-click Default Domain Policy. In the console, expand the following path:

Computer Configuration, Policies, Windows Settings, Security Settings, and then

Public Key Policies.

8. Click Public Key Policies. In the details pane, double-click Certificate ServicesClient - Auto-Enrollment. The Properties dialog box opens. Configure the following

items, and then click OK:

a. In Configuration Model, select Enabled.

b. Select the Renew expired certificates, update pending certificates, and

remove revoked certificates check box.

c. Select the Update certificates that use certificate templates check box.

9. Click OK.

Refresh Group Policy

You can use this procedure to manually refresh Group Policy on the local computer. When Group

Policy is refreshed, if certificate autoenrollment is configured and functioning correctly, the local

computer is autoenrolled a certificate by the certification authority (CA).

Note

To configure server certificate autoenrollment


40/42

Group Policy is automatically refreshed when you restart the domain member computer,

or when a user logs on to a domain member computer. In addition, Group Policy is

periodically refreshed. By default, this periodic refresh is performed every 90 minutes witha randomized offset of up to 30 minutes.

Membership in Administrators, or equivalent, is the minimum required to complete this

procedure.

1. Click Start, click Run, type cmd, and then press ENTER. The Command Prompt

window opens.

2. Type gpupdate, and then press ENTER.

Obtain the SHA-1 hash of the hosted cacheserver certificate

You can use this procedure to obtain the SHA-1 hash, also called the thumbprint, of the server

certificate of a hosted cache server so that you can link the certificate to BranchCache. This

procedure must be performed on a hosted cache server to which a server certificate has already

been enrolled.

Membership in Domain Admins, or equivalent is the minimu

Documents

Branch Cache Deploy