PrepAway - Latest Free Exam Questions & Answers

Which server should you identify?

Your network contains an Active Directory domain named contoso.com. The domain contains four
servers. The servers are configured as shown in the following table.

You plan to deploy an enterprise certification authority (CA) on a server named Servers. Server5 will be
used to issue certificates to domain-joined computers and workgroup computers.You need to identify which server you must use as the certificate revocation list (CRL) distribution point
for Server5.
Which server should you identify?

PrepAway - Latest Free Exam Questions & Answers

A.
Server1

B.
Server3

C.
Server4

D.
Server2

Explanation:
CDP (and AD CS) always uses a Web Server
NB: this CDP must be accessible from outside the AD, but here we don’t have to wonder about that as
there’s only one web server.
http://technet.microsoft.com/fr-fr/library/cc782183%28v=ws.10%29.aspx
Selecting a CRL Distribution Point
Because CRLs are valid only for a limited time, PKI clients need to retrieve a new CRL periodically.
Windows
Server 2003 PKI Applications look in the CRL distribution point extension for a URL that points to a
network location from which the CRL object can be retrieved. Because CRLs for enterprise CAs are
stored in Active Directory, they can be accessed by means of LDAP. In comparison, because CRLs for
stand-alone CAs are stored in a directory on the server, they can be accessed by means of HTTP, FTP,
and so on as long as the CA is online. Therefore, you should set the CRL distribution point after the CA
has been installed.
The system account writes the CRL to its distribution point, whether the CRL is published manually or is
published according to an established schedule. Therefore you must ensure that the system accounts for
CAs have permission to write to the CRL distribution point. Because the CRL path is also included in
every certificate, you must define the CRL location and its access path before deploying certificates. If an
Application performs revocation checking and a valid CRL is not available on the local computer, it
rejects the certificate.
You can modify the CRL distribution point by using the Certification Authority MMC snap-in. In this way,
you can change the location where the CRL is published to meet the needs of users in your organization.
You must move the CRL distribution point from the CA configuration folder to a Web server to change
the location of the CRL, and you must move each new CRL to the new distribution point, or else the
chain will break when the previous CRL expires.
NoteOn root CAs, you must also modify the CRL distribution point in the CAPolicy.inf file so that the root CA
certificate references the correct CDP and AIA paths, if specified. If you are using certificates on the
Internet, you must have at least one HTTPs-accessible location for all certificates that are not limited to
internal use.
http://technet.microsoft.com/en-us/library/cc771079.aspx
Configuring Certificate Revocation
It is not always possible to contact a CA or other trusted server for information about the validity of a
certificate. To effectively support certificate status checking, a client must be able to access revocation
data to determine whether the certificate is valid or has been revoked. To support a variety of scenarios,
Active Directory Certificate Services (AD CS) supports industry-standard methods of certificate
revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs, which can be
made available to clients from a variety of locations, including Active Directory Domain Services (AD DS),
Web servers, and network file shares.


Leave a Reply