Home » Microsoft » 70-640 » What should you do?
You are the network administrator for the ABC Company.
The ABC Company has all Windows Server 2008 R2 Active Directory domains and uses an Enterprise Root certificate server.
You need to verify that revoked certificate data is highly available.
What should you do?
A. Implement a Group Policy Object(GPO) that has the Certificate Verification Enabled option.
B. Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP) responder.
C. Implement a Group Policy object(GPO) that enables the Online Certificate Status Protocol(OCSP) responder.
D. Using Network Load Balancing, implement the Certificate Verification Enabled option.
Correct Answer: B
Explanation/Reference:
Basically the same as A/Q8:
Explanation:
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx
AD CS: Online Certificate Status Protocol Support
Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server® 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.
In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
..
Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization’s PKI.
..
Further information:
http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-high- availability.aspx
Implementing an OCSP Responder: Part V High Availability
There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array.
The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance.