###BeginCaseStudy###
Topic 7, Contoso, Ltd Case D
Overview
Contoso, Ltd., is a manufacturing company that makes several different components that are used in
automobile production. Contoso has a main office in Detroit, a distribution center in Chicago, and
branch offices in Dallas, Atlanta, and San Diego.
The contoso.com forest and domain functional level are Windows Server 2008 R2. All servers run
Windows Server 2012 R2, and all client workstations run Windows 7 or Windows 8. Contoso uses
System Center 2012 Operations Manager and Audit Collection Services (ACS) to monitor the
environment. There is no certification authority (CA) in the environment.
Current Environment
The contoso.com domain contains the servers as shown in the following table:

Contoso sales staff travel within the United States and connect to a VPN by using mobile devices to
access the corporate network. Sales users authenticate to the VPN by using their Active Directory
usernames and passwords. The VPN solution also supports certification-based authentication.
Contoso uses an inventory system that requires manually counting products and entering that count
into a database. Contoso purchases new inventory software that supports wireless handheld scanners
and several wireless handheld scanners. The wireless handheld scanners run a third party operating
system that supports the Network Device Enrollment Service (NDES).
Business Requirements
Security
The wireless handheld scanners must use certification-based authentication to access the wireless
network.
Sales users who use mobile devices must use certification-based authentication to access the VPN.
When sales users leave the company, Contoso administrators must be able to disable their VPN access
by revoking their certificates.
Monitoring
All servers must be monitored by using System Center 2012 Operating Manager. In addition to
monitoring the Windows operating system, you must collect security logs from the CA servers by using
ACS, and monitor the services that run on the CA and Certificate Revocation List (CRL) servers, such as
certification authority and web services.
Technical Requirements
CA Hierarchy
Contoso requires a two-tier CA hierarchy. The CA hierarchy must include a stand-alone offline root and
two Active Directory-integrated issuing CAs: one for issuing certificates to domain-joined devices, and
one for issuing certificates to non-domain-joined devices by using the NDES. CRLs must be published to
two web servers: one in Detroit and one in Chicago.
Contoso has servers that run Windows Server 2012 R2 to use for the CA hierarchy. The servers are
described in the following table:

The IT security department must have the necessary permissions to manage the CA and CRL servers. A
domain group named Corp-IT Security must be used for this purpose. The IT security department users
are not domain admins.
Fault Tolerance
The servers that host the CRL must be part of a Windows Network Load Balancing (NLB) cluster. The CRL
must be available to users in all locations by using the hostname crl.contoso.com, even if one of the
underlying web servers is offline.

###EndCaseStudy###

Your network contains an Active Directory domain named contoso.com.
Your company has an enterprise root certification authority (CA) named CA1.
You plan to deploy Active Directory Federation Services (AD FS) to a server named Server1.
The company purchases a Microsoft Office 365 subscription.
You plan to register the company’s SMTP domain for Office 365 and to configure single sign-on for all
users.
You need to identify which certificate is required for the planned deployment.
Which certificate should you identify?

A.
a server authentication certificate that is issued by a trusted third-party root CA and that contains the
subject name serverl.contoso.com

B.
a self-signed server authentication certificate for server1.contoso.com

C.
a server authentication certificate that is issued by a trusted third-party root CA and that contains the
subject name Server1

D.
a server authentication certificate that is issued by CA1 and that contains the subject name Server1

Explanation:
Prepare Your Server and Install ADFS
You can install ADFS on a domain controller or another server. You’ll first need to configure a few
prerequisites. The following steps assume you’re installing to Windows Server 2008 R2.
Using Server Manager, install the IIS role and the Microsoft .NET Framework. Then purchase and install a
server-authentication certificate from a public certificate authority. Make sure you match the certificate’s
subject name with the Fully Qualified Domain Name of the server. Launch IIS Manager and import that
certificate to the default Web site. Geek of All Trades: Office 365 SSO: A Simplified Installation Guide
https://technet.microsoft.com/en-us/magazine/jj631606.aspx