Your network contains an Active Directory domain named contoso.com. All servers run
Windows Server 2012 R2.
The domain contains a domain controller named DC1 that is configured as an enterprise root
certification authority (CA).
All users in the domain are issued a smart card and are required to log on to their domainjoined client computer by using their smart card.
A user named User1 resigned and started to work for a competing company.
You need to prevent User1 immediately from logging on to any computer in the domain. The
solution must not prevent other users from logging on to the domain.
Which tool should you use?
A.
Active Directory Users and Computers
B.
Server Manager
C.
The Certificates snap-in
D.
The Certification Authority console
Why D? You can disable the User in Active Directory Users and Computers.
Hmm. “Prevent them from logging in on any computer in the domain” Because there is still at least a 15 minute wait while the Domain controller replicates that the user account is disabled.
I guess you can use the CA to revoke the certificate for that users smart card, which would prevent them from logging in, as users are “required” to log in with their smart cards.
I think the answer is actually D?
Answer should b “A”
The answer actually is “D”
The question states that the company issues their employees smart cards to access their client computers. In a enterprise that issues smart cards as the clients only means to access their computers, the best answer would be to disable his certificates on the Certificate authority console.
Remember everyone. Microsoft is a tricky pickle and sometime they like to make questions either stupid or simple stupid. This question will fall under the simple stupid category. I agree with Tyson on this!
How would you disable a certificate issued by a CA in certmgr.msc? The Certificates snap-in only shows certificates in the certificate store of the local computer, not in the ones in the CA database. Looks to me like A is correct.
where you revoke a user certificate he will be able to login untill his cert serial number listed in the CRL and crl generation will take time ,and here is asking immediatly so the AD console is the correct answer A
This is why, in the CA console, you revoke their certificate then publish the CRL out immediately all in one move.
But if you revoke the certificate, all users who have it will be affected!
CRL and CRL delta could be checked by the client even every 30 minutes. It requires client reconfiguration. Still it is more then 15 minutes period handled by DCs. In large environments it depends on inter site connections, but here is only 1 DC.
I have a premium file of 412 (10/1/15)
here the asnwer are *D. The Certification Authority console*
in other allmost the same Q are but there D are NOT (The Certification Authority console)
*A. Active Directory Users and Computers*
can you send me the perm file please I have my exam on Thursday and no money to purchase it..please please
please give me you mail and i will send it to you
Hi Mohamed
Please send premium file, my exam at 20 april to [email protected]
can you also mail me the premium copy. I have my exam on Friday (30 DEC)
Hello can i have the premium file from you
thanks
Please can u send me premium file to my id : [email protected]
Thanks
Certificate Revocation:
Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL.
http://technet.microsoft.com/en-us/library/cc778151(v=ws.10).aspx
By default, CAs publish CRLs weekly. You can change this setting through the Revoked Certificates Properties dialog box.
http://msdn.microsoft.com/en-us/library/bb727098.aspx#EDAA
Each CA is configured with a CRL publication setting. This setting defines when a CA will automatically publish an updated CRL known as the CRL publish period. When a CA is first installed, the publish period is set to one week, but can be manually configured.
A CRL is valid for a period that differs from this publish period. The validity period is the period of time that a CRL is considered authoritative for verifying an issued certificate. The validity period is extended to a length of time greater than the publication period to allow for Active Directory replication. By default, the validity period is defined to be 10% greater than the publication period, up to a maximum of 12 hours difference. For example, if your CRL publish period is set to 10 days, and then the validity period is set to 11 days. In addition, the validity period must be at least 1.5 times the skew value. Therefore, if the skew value is defined to be 10 minutes, then the validity period must be a minimum of at least 15 minutes.
You can alter the default settings by modifying the CRLOverlapPeriod and CRLOverlapUnits values located in the registry in the HKLM\ SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\\ hive. For example, to define validity period to be extended by two days, you would set CRLOverlapPeriod to be a value of “days” and CRLOverlapUnits to be a value of “2”.
Note: It is recommended to modify these registry values using Certutil –setreg, rather than directly modifying the registry. The following command(s) are provided as examples:
certutil -setreg ca\CRLOverlapPeriod days
certutil -setreg ca\CRLOverlapUnits 2
Finally, there is a clock skew of an additional 10 minutes added to the validity period on either side of the publish period, so a CRL will be valid 10 minutes before the beginning of its publish period to account for variances in computer clock settings. You can modify this setting by changing the value of ClockSkewMinutes in the same registry location.
http://technet.microsoft.com/en-us/library/cc700843.aspx#XSLTsection126121120120
You can also publish a CRL on demand at any time, such as when a valuable certificate becomes compromised. Choosing to publish a CRL outside the established schedule resets the scheduled publication period to begin at that time. In other words, if you manually publish a CRL in the middle of a scheduled publish period, the CRL publish period is restarted.
It is important to realize that clients that have a cached copy of the previously published CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a cached copy of a valid CRL.
http://technet.microsoft.com/en-us/library/cc782162(v=ws.10).aspx
CryptoAPI uses the following two caches for CRLs and OCSP responses:
• A disk cache, which maintains copies of all CRLs and OCSP responses retrieved during the revocation checking process on the local file system. All items in the disk cache are maintained until their validity period expires.
• A memory cache, which contains revocation information used by a specific process. The memory cache is maintained within the memory used by the calling process. When the process terminates, the memory is released and the memory cache is flushed. If an object exists in the disk cache, the object is read into the memory cache for the calling process.
For Windows XP or Windows Server 2003, it is now supported to delete items from the disk cache. There are different commands available for flushing the cache:
• To delete all cache entries:
certutil -urlcache * delete
For Windows Vista and Windows 2008, it is preferable to invalidate the memory cache instead of deleting the disk cache. You can do so by invalidating the cached CRLs and OCSP responses before the time specified in the object.
To invalidate the cache, you must run the following commands from an Administrative command prompt:
• To immediately invalidate all items from the cache:
• certutil -setreg chain\ChainCacheResyncFiletime @now
http://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx
EXAM TIP
If you don’t want to wait for a CRL or delta CRL to be published according to the default
schedule, you can trigger CRL publication. It is important to note that in most cases a
client will check a certificate’s validity only periodically; a client will not check a certificate’s
validity each time the certificate is used. This period is based on the CRL publication
interval.
Exam Ref 70-412: Configuring Advanced Windows Server 2012 R2 Services, (J.C. MackinOrin Thomas)
CHAPTER 6 Configure access and information protection solutions
Page 323
Enrolling for a smart card certificate:
The recommended method for enrolling users for smart card-based certificates and keys is through the smart card enrollment station that is integrated with Certificate Services in Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition.
When an enterprise certification authority (CA) is installed, the installation includes the Smart Card Enrollment station. This allows an administrator to act on behalf of a user to request and install a Smart Card Logon certificate or Smart Card User certificate on the user’s smart card. Prior to using the Smart Card Enrollment station, the smart card issuer must have obtained a signing certificate based on the Enrollment Agent certificate template. The signing certificate signs the certificate request that is generated on behalf of the smart card recipient.
By default, only domain administrators are granted permission to request a certificate based on the Enrollment Agent template. A user other than a domain administrator can be granted permission to enroll for an Enrollment Agent certificate by means of Active Directory Sites and Services.
http://msdn.microsoft.com/en-us/library/cc775505(v=ws.10).aspx
Checklist: Deploying smart cards for logging on to Windows
http://msdn.microsoft.com/en-us/library/cc739063(v=ws.10).aspx
Smart Cards – Creating a Windows 2008 Certificate Authority & Enrolling Smart Card Users with a 2K8 CA
http://blogs.citrix.com/2011/07/15/smart-cards-creating-a-windows-2008-certificate-authority-enrolling-smart-card-users-with-a-2k8-ca
Events That Trigger Urgent Replication:
Urgent Active Directory replication is always triggered by certain events on all domain controllers within the same site. When you have enabled change notification between sites, these triggering events also replicate immediately between sites.
Immediate replication between Windows 2000–based domain controllers in the same site is prompted by the following:
• Assigning an account lockout, which prohibits a user from logging on after a certain number of failed attempts.
• Changing a Local Security Authority (LSA) secret, which is a secure form in which private data is stored by the LSA.
• Change in the relative identifier (known as a “RID”) master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain.
http://technet.microsoft.com/en-us/library/cc961787.aspx
According to the above information the correct answer is either Active Directory Users and Computers, or Active Directory Administrative Center.
So it is A.Active Directory Users and Computers
Appreciate the fact you research and share here.. agreed. It is either ADAC or ADUC.
Chamil Dilhan,
You are most welcome.
https://twitter.com/Ebrahim_K_Ali
It’s as same as 74, so the answer is A.
based on the article in technet below, I’d choose A.
http://blogs.technet.com/b/askds/archive/2012/01/23/3476532.aspx
revocation of a smart card certificate is not intended to be usable as real-time access control — not even with OCSP involved. If you want to prevent the user from logging on with the smart card then the account should be disabled.
I agree with slim3250, this question has been freaking me out for a long time, I do not know why the answer is posted as “Certification Authority”.
Surely, I’ve read all the answers and explanations, as well as consult the internet for the answer, but could not find it.
Why it’s so difficult, I don’t know, but it surely freakes me out, because a bad answer is all that separates oneself from succeding in the exam.
The only thing you can do in the CA is revoke the certificate, which will affected ALL users using that certificate, which goes against the requirements of the question.
Every user have only her/his certificate. There none certificate for many users, one certificate for one user… One disabled certificate = one disabled user. But ist not the fastest way(immediately).
Has to be either ADUC or ADAC. It’s very unlikely to happen, but if both are options go with ADAC as this is newer than ADUC
It’s A.
Publishing a CRL before the next scheduled publish period
You can also publish a CRL on demand at any time, such as when a valuable certificate becomes compromised. Choosing to publish a CRL outside the established schedule resets the scheduled publication period to begin at that time. In other words, if you manually publish a CRL in the middle of a scheduled publish period, the CRL publish period is restarted.
It is important to realize that clients that have a cached copy of the previously published CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a cached copy of a valid CRL.
Based on the second paragraph I think answer cannot be D.
Below you will obtain the link to some web sites that we feel you need to visit.
Usually posts some incredibly intriguing stuff like this. If youre new to this site.
that is the end of this report. Here you will uncover some web pages that we consider you will value, just click the links over
Sites of interest we’ve a link to
the time to study or stop by the content or web pages we’ve linked to below the
one of our guests not too long ago advised the following website
just beneath, are many entirely not connected web pages to ours, nevertheless, they may be certainly worth going over
very couple of internet sites that occur to become detailed beneath, from our point of view are undoubtedly very well worth checking out
very couple of websites that take place to become detailed beneath, from our point of view are undoubtedly nicely worth checking out
below youll find the link to some internet sites that we consider you must visit
Every once inside a though we decide on blogs that we read. Listed below are the most current sites that we pick out
we prefer to honor a lot of other web websites on the net, even though they arent linked to us, by linking to them. Below are some webpages really worth checking out
please visit the web sites we follow, such as this one particular, because it represents our picks in the web
always a massive fan of linking to bloggers that I really like but dont get a good deal of link adore from
Although internet sites we backlink to beneath are considerably not connected to ours, we really feel they may be in fact worth a go by, so possess a look.
Just beneath, are various completely not connected sites to ours, however, they are surely worth going over.
Sites of interest we’ve a link to
although websites we backlink to below are considerably not connected to ours, we really feel they are essentially worth a go by way of, so possess a look
we prefer to honor lots of other world-wide-web sites around the web, even though they arent linked to us, by linking to them. Under are some webpages really worth checking out
We prefer to honor lots of other net websites on the web, even though they arent linked to us, by linking to them. Under are some webpages worth checking out.
usually posts some extremely intriguing stuff like this. If youre new to this site
Sites of interest we’ve a link to
please pay a visit to the sites we adhere to, including this one, as it represents our picks through the web
check beneath, are some entirely unrelated web-sites to ours, nonetheless, they are most trustworthy sources that we use
that may be the end of this post. Here you will discover some websites that we feel youll value, just click the hyperlinks over
always a massive fan of linking to bloggers that I like but do not get a great deal of link love from
Here is a superb Blog You might Locate Intriguing that we Encourage You
Here is an excellent Weblog You might Locate Exciting that we Encourage You
the time to read or visit the content or web sites we’ve linked to beneath the
I’ve seen the same question with different choices. Either it gives you ADUC, or it gives you ADAC, OR it gives you both.
Both ADUC and ADAC are correct answers, so considering that ADUC is a choice in this question, go for that.
Tested in Lab. A is correct
1. On DC Created User Account called User1
2. On Work Station logged in as User1 then logged out.
3. On DC disabled User1 Account via ADUC.
4. Immediately attempted to log on to Work Station as User1 and got error message
‘Your Account has been disabled. Please see your system administrator’
This confirms A is correct
The tricky part of this question is that fact that there is just ONE Domain Controller.. so disabling the account has an immediate effect on preventing access from the disabled account…. another story is when you have multiple sites with multiple domains (also.. in the case that there is just one site with multiple domains then disabling the account also works since replication in the same site happens in seconds)