Which server should you identify?

Your network contains an Active Directory domain named contoso.com. The domain contains four
servers. The servers are configured as shown in the following table.

You plan to deploy an enterprise certification authority (CA) on a server named Servers. Server5 will
be used to issue certificates to domain-joined computers and workgroup computers.
You need to identify which server you must use as the certificate revocation list (CRL) distribution
point for Server5.
Which server should you identify?

A.
Server1

B.
Server3

C.
Server4

D.
Server2

Explanation:
CDP (and AD CS) always uses a Web Server
NB: this CDP must be accessible from outside the AD, but here we don’t have to wonder about that
as there’s only one web server.
http://technet.microsoft.com/fr-fr/library/cc782183%28v=ws.10%29.aspx
Selecting a CRL Distribution Point
Because CRLs are valid only for a limited time, PKI clients need to retrieve a new CRL periodically.
Windows

Server 2003 PKI Applications look in the CRL distribution point extension for a URL that points to a
network location from which the CRL object can be retrieved. Because CRLs for enterprise CAs are
stored in Active Directory, they can be accessed by means of LDAP. In comparison, because CRLs for
stand-alone CAs are stored in a directory on the server, they can be accessed by means of HTTP, FTP,
and so on as long as the CA is online. Therefore, you should set the CRL distribution point after the
CA has been installed.
The system account writes the CRL to its distribution point, whether the CRL is published manually or
is published according to an established schedule. Therefore you must ensure that the system
accounts for CAs have permission to write to the CRL distribution point. Because the CRL path is also
included in every certificate, you must define the CRL location and its access path before deploying
certificates. If an Application performs revocation checking and a valid CRL is not available on the
local computer, it rejects the certificate.
You can modify the CRL distribution point by using the Certification Authority MMC snap-in. In this
way, you can change the location where the CRL is published to meet the needs of users in your
organization. You must move the CRL distribution point from the CA configuration folder to a Web
server to change the location of the CRL, and you must move each new CRL to the new distribution
point, or else the chain will break when the previous CRL expires.
Note
On root CAs, you must also modify the CRL distribution point in the CAPolicy.inf file so that the root
CA certificate references the correct CDP and AIA paths, if specified. If you are using certificates on
the Internet, you must have at least one HTTPs-accessible location for all certificates that are not
limited to internal use.
http://technet.microsoft.com/en-us/library/cc771079.aspx
Configuring Certificate Revocation
It is not always possible to contact a CA or other trusted server for information about the validity of
a certificate. To effectively support certificate status checking, a client must be able to access
revocation data to determine whether the certificate is valid or has been revoked. To support a
variety of scenarios, Active Directory Certificate Services (AD CS) supports industry-standard
methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and
delta CRLs, which can be made available to clients from a variety of locations, including Active
Directory Domain Services (AD DS), Web servers, and network file shares.