You are the network administrator for the ABC Company.
The ABC Company has all Windows Server 2008 R2 Active Directory domains and uses an
Enterprise Root certificate server.
You need to verify that revoked certificate data is highly available.
What should you do?
A.
Implement a Group Policy Object(GPO) that has the Certificate Verification Enabled
option.
B.
Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP)
responder.
C.
Implement a Group Policy object(GPO) that enables the Online Certificate Status
Protocol(OCSP) responder.
D.
Using Network Load Balancing, implement the Certificate Verification Enabled option.
Explanation:
Network Load Balancing.http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx
AD CS: Online Certificate Status Protocol Support
Certificate revocation is a necessary part of the process of managing certificates issued by
certification authorities (CAs). The most common means of communicating certificate status
is by distributing certificate revocation lists (CRLs). In the Windows Server® 2008 operating
system, public key infrastructures (PKIs) where the use of conventional CRLs is not an
optimal solution, an Online Responder based on the Online Certificate Status Protocol
(OCSP) can be used to manage and distribute revocation status information.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs,
is one of two common methods for conveying information about the validity of certificates.
Unlike CRLs, which are distributed periodically and contain information about all certificates
that have been revoked or suspended, an Online Responder receives and responds only to
requests from clients for information about the status of a single certificate. The amount of
data retrieved per request remains constant no matter how many revoked certificates there
might be.
In many circumstances, Online Responders can process certificate status requests more
efficiently than by using CRLs.
..
Adding one or more Online Responders can significantly enhance the flexibility and
scalability of an organization’s PKI.
..
Further information:
http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-partv-highavailability.aspx
Implementing an OCSP Responder: Part V High Availability
There are two major pieces in implementing the High Availability Configuration. The first step
is to add the OCSP Responders to what is called an Array. When OCSP Responders are
configured in an Array, the configuration of the OCSP responders can be easily maintained,so that all Responders in the Array have the same configuration. The configuration of the
Array Controller is used as the baseline configuration that is then applied to other members
of the Array.
The second piece is to load balance the OCSP Responders. Load balancing of the OCSP
responders is what actually provides fault tolerance.
The answer is B:Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP)
responder.
Hi, I prefer…
B.
Using Network Load Balancing, implement an Online Certificate Status Protocol(OCSP)
responder.
TIP: Always you read “You need […] data is highly available”, you answer need use “Network Load Balancing”.