###BeginCaseStudy###
Case Study: 4
A Datum Corporation
Overview
A Datum Corporation is an accounting company.
The company has a main office and two branch offices. The main office is located in Miami.
The branch offices are located in New York and Seattle.
Existing Environment
Network Infrastructure
The network contains an Active Directory domain named adatum.com. All servers run
Windows Server 2008 R2. The main office has the following servers and client computers:
• Two domain controllers configured as DNS servers and DHCP servers
• One file server that has multiples shares
• One thousand client computers that run Windows 7
Each branch office has the following servers and client computers:
• One domain controller configured as a DNS server and a DHCP server
• Five hundred to 800 client computers that run Windows XP
Each office has multiple subnets. The network speed of the local area network (LAN) is 1
gigabit per second. The offices connect to each other by using a WAN link. The main office
is connected to the Internet.
Current Issues
The WAN link between the Miami office and the Seattle office is a low bandwidth link with
high latency. The link will not be replaced for another year.
Requirements
Application Requirements
The company is developing an application named App1. App1 is a multi-tier application that
will be sold as a service to customers.
Each instance of App1 is comprised of the following three tiers:
• A web front end
• A middle tier that uses Windows Communication Foundation (WCF)
• A Microsoft SQL Server 2008 R2 database on the back end
Each tier will be hosted on one or more virtual machines. Multiple-tiers cannot coexist on the
same virtual machine.
When customers purchase App1, they can select from one of the following service levels:
• Standard: Uses a single instance of each virtual machine required by App1. If a virtual
machine becomes unresponsive, the virtual machine must be restarted.
• Enterprise: Uses multiple instances of each virtual machine required by App1 to
provide high-availability and fault tolerance.
All virtual hard disk (VHD) files for App1 will be stored in a file share. The VHDs must be
available if a server fails.
You plan to deploy an application named App2. App2 is comprised of the following two
tiers:
• A web front end
• A dedicated SQL Server 2008 R2 database on the back end
App2 will be hosted on a set of virtual machines in a Hyper-V cluster in the Miami office.
The virtual machines will use dynamic IP addresses. A copy of the App2 virtual machines
will be maintained in the Seattle office.
App2 will be used by users from a partner company named Trey Research. Trey Research has
a single Active Directory domain named treyresearch.com. Treyresearch.com contains a
server that has the Active Directory Federation Services server role and all of the Active
Directory Federation Services (AD FS) role services installed.
Planned Changes
A Datum plans to implement the following changes:
• Replace all of the servers with new servers that run Windows Server 2012.
• Implement a private cloud by using Microsoft System Center 2012 to host instances
of App1.
• In the Miami office, deploy four new Hyper-V hosts to the perimeter network.
• In the Miami office, deploy two new Hyper-V hosts to the local network.
• In the Seattle office, deploy two new Hyper-V hosts.
• In the Miami office, implement a System Center 2012 Configuration Manager
primary site that has all of the system roles installed.
• Implement a public key infrastructure (PKI).
Notification Requirements
A Datum identifies the following notification requirements:
• Help desk tickets must be created and assigned automatically when an instance of
App1 becomes unresponsive.
• Customers who select the Enterprise service level must receive an email notification
each time a help desk ticket for their instance of App1 is opened or closed.
Technical Requirements
A Datum identifies the following technical requirements:
• Minimize costs whenever possible.
• Minimize the amount of WAN traffic
• Minimize the amount of administrative effort whenever possible.
• Provide the fastest possible failover for the virtual machines hosting App2.
• Ensure that administrators can view a consolidated report about the software updates
in all of the offices.
• Ensure that administrators in the Miami office can approve updates for the client
computers in all of the offices.
Security Requirements
A Datum identifies the following security requirements:
• An offline root certification authority (CA) must be configured.
• Client computers must be issued certificates by a server in their local office.
• Changes to the CA configuration settings and the CA security settings must be
logged.
• Client computers must be able to renew certificates automatically over the Internet.
• The number of permissions and privileges assigned to users must be minimized
whenever possible.
• Users from a group named Group1 must be able to create new instances of App1 in
the private cloud.
• Client computers must be issued new certificates when the computers are connected
to the local network only.
• The virtual machines used to host App2 must use BitLocker Drive Encryption
(BitLocker).
• Users from Trey Research must be able to access App2 by using their credentials
from treyresearch.com.
###EndCaseStudy###
You need to recommend which Certificate Services role service must be deployed to the
perimeter network. The solution must meet the security requirements.
Which Certificate Services role services should you recommend?
A.
Online Responder and Network Device Enrollment Service
B.
Online Responder and Certificate Enrollment Web Service
C.
Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service
D.
Certificate Enrollment Policy Web Service and Certification Authority Web Enrollment
IS THIS CORRECT????
I’m thinking C.
Yep it’s C
https://technet.microsoft.com/en-us/library/dd759230.aspx
I vote C
The answer is CES and CEP. The key requirements listed are:
1. “Client computers must be able to renew certificates automatically OVER THE INTERNET.”
2. Changes to the CA configuration settings and the CA security settings
must be logged.
-Certificate Enrollment Web Services allows clients to connect to over HTTPS (from anywhere on the Internet)
-Certificate Enrollment Policy Web Service is what queries AD/LDAP to retrieve CA and certificate related info and relay it to clients
“Key-based renewal mode is a feature introduced in Windows Server 2012 that allows an existing valid certificate to be used to authenticate its own renewal request. This enables computers that are not connected directly to the internal network the ability to automatically renew an existing certificate.”
https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Key-based_renewal
“Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.”
https://technet.microsoft.com/en-us/library/dd759230(v=ws.11).aspx
“Changes to the CA configuration settings and the CA security settings
must be logged.”
https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Configuring_Advanced_Server_Diagnostics
https://blogs.technet.microsoft.com/askds/2010/02/01/certificate-enrollment-web-services/
This explains it more succinctly: https://blogs.technet.microsoft.com/askds/2010/02/01/certificate-enrollment-web-services/
“CEP is a web service that enables users and computers to obtain certificate enrollment policy information. This information includes what types of certificates can be requested and which CAs can issue them. CES is another web service that allows users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the CEP web service, CES enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. CEP/CES also enables cross-forest policy-based certificate enrollment for Windows 7 or Windows Server 2008 R2 clients.”