What should you include in the recommendation?

Your network contains an Active Directory domain named contoso.com.
The network contains 15,000 client computers.
You plan to deploy an Active Directory Certificate Services (AD CS) infrastructure and issue certificates to all of the network devices.

You need to recommend a solution to minimize the amount of network utilization caused by certificate revocation list (CRL) checking.
What should you include in the recommendation? More than one answer choice may achieve the goal. Select the BEST answer.

Your network contains an Active Directory domain named contoso.com.
The network contains 15,000 client computers.
You plan to deploy an Active Directory Certificate Services (AD CS) infrastructure and issue certificates to all of the network devices.

You need to recommend a solution to minimize the amount of network utilization caused by certificate revocation list (CRL) checking.
What should you include in the recommendation? More than one answer choice may achieve the goal. Select the BEST answer.

A.
The Network Device Enrollment Service role service

B.
An increase of the CRL validity period

C.
A reduction of the CRL validity period

D.
The Online Responder role service

Explanation:

http://technet.microsoft.com/en-us/library/cc753468.aspx

Show Hint

Leave a Reply 2

Your email address will not be published. Required fields are marked *

no

no

Correct, you want to minimize the network traffic of CRL checking, not change the certificate validity period to achieve this. The best way is to implement the Online Responder.

Reply

Marvin

Marvin

When you revoke a certificate, you must announce that the certificate was revoked, so that no services will use or accept that certificate. You can do this by using CRLs or configuring the Online Responder service based on OCSP.

CRLs
CRLs are lists of certificates that have been revoked. The CAs maintain these lists as part of the certificate database. CRLs provide clients with one method of checking certificate revocation before accepting a certificate and proceeding with secure communication.
Clients access CRLs to determine the revocation status of a certificate. If CRLs are large, clients might spend a long time searching through them.

Online Responder
By using OCSP, Online Responders provide clients with an efficient method for determining a certificate’s revocation status. OCSP submits certificate status requests by using HTTP.
In case that CRLs are large, clients might spend a long time searching through them. An Online Responder can search the CRLs for the clients, and then respond to the requested certificate only. Online Responders receive all the certificate revocation data instead of the relying clients. A relying party submits a status request about an individual certificate to an Online Responder, which returns a definitive, digitally signed response that indicates only that certificate’s status. The amount of data retrieved per request is constant, no matter how many revoked certificates exist in the certificate database on the CA.

In summary, Online Responder Service (one component of AD CS) minimizes the amount of network utilization caused by certificate revocation list (CRL) checking.

Reply