Your company has an office in New York.
Many users connect to the office from home by using the Internet.
You deploy an Active Directory Certificate Services (AD CS) infrastructure that contains an enterprise certification authority (CA) named CA1.
CA1 is only available from hosts on the internal network.
You need to ensure that the certificate revocation list (CRL) is available to all of the users.
What should you do? (Each correct answer presents part of the solution. Choose all that apply.)
A.
Create a scheduled task that copies the CRL files to a Web server.
B.
Run the Install-ADCSWebEnrollment cmdlet.
C.
Run the Install-EnrollmentPolicyWebService cmdlet.
D.
Deploy a Web server that is accessible from the Internet and the internal network.
E.
Modify the location of the Authority Information Access (AIA).
F.
Modify the location of the CRL distribution point (CDP).
Explanation:
D: access to CRLs for the ‘Internet scenario’ is fully supported and includes the following features:
CRLs will be located on Web servers which are Internet facing.
CRLs will be accessed using the HTTP retrieval protocol.
CRLs will be accessed using an external URL of
http://dp1.pki.contoso.com/pk
F: To successfully authenticate an Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based connection, DirectAccess clients must be able to
check for certificate revocation of the secure sockets layer (SSL) certificate submitted by the DirectAccess server.
To successfully perform intranet detection, DirectAccess clients must be able to check for certificate revocation of the SSL certificate submitted by the network
location server.
This procedure describes how to do the following:
Create a Web-based certificate revocation list (CRL) distribution point using Internet Information Services (IIS)
Configure permissions on the CRL distribution shared folder Publish the CRL in the CRL distribution shared folder
Configure a CRL Distribution Point for Certificates
I’d say D & F.
There is no need to copy the CRL to another webserver if you are changing the CDP, pointing to the new server.
Well If you only change the CDP extension to add a CRL location. You also need to publish it, and this cannot be done on to web servers I believe. You could publish it to a file location for instance like a share. But then you have to create a share in the wwwroot somewhere. So I think you need A: also to get this done.
After some research, the original answer seems to be correct. A is necessary as per the excerpt below.
https://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx
If you are publishing CRLs to a Network Load Balanced (NLB) clustered Web service, the method that you implement must be carefully designed to ensure that all nodes in the cluster maintain the same ETag value for a specific CRL. To ensure that the same ETag value is maintained, each node’s version of the CRL must have the same date/time stamp. This is done by copying the CRLs from a single source to all nodes in the cluster. If the CRLs are generated or created on each node of the Web cluster, then the CRLs would have different ETag values.
Although, NLB is not stated in the question, I believe this to be accurate.