Assignment 70-412

1. Briefly describe the information that each AD DS partition stores.

Configuration

Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. Configuration objects store information about sites, services, and directory partitions. You can view the contents of the Configuration container by using ADSI Edit.

Schema

Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. You can view the contents of the Schema container in the Active Directory Schema console.

Domain

Contains a < domain > container (for example, the Reskit.com container), which stores users, computers, groups, and other objects for a specific Windows 2000 domain (for example, the Reskit.com domain). Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers if the update is made to an attribute that is marked for replication to the Global Catalog. The < domain > container is displayed in the Active Directory Users and Computers console. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed.

2. Describe the benefits for using Distributed File System (DFS) Replication as opposed to the File Replication Service (FRS) for replication processes.

3. Describe the options for configuring intersite

replication

Rename the Default-First-Site-Name object Create new Site objects Create Subnet objects Create Site Link objects Designate bridgehead servers

4. Briefly describe each component of the PKI solution

Certification Authority (CA)

1. A person or institution 2. Trusted by others 3. Vouch for the authenticity of a public key 4. May be a principal (e.g., management, bank, credit card issuer) 5. Secretary of a "club" (e.g., bank clearing house) 6. A government agency or designee (e.g., notary public, DMV, or post office) 7. An independent third party operating for profit (e.g., VeriSign) 8. Makes a decision on evidence or knowledge, after due diligence 9. Records the decision by signing a certificate with its private key 10. Authorizes issuance of certificate

Registration Authority (RA)

1. Manages certificate life cycle, including: a. Certificate directory maintenance b. CRL (certificate revocation list(s)) maintenance and publication

2. thus can be: a. A critical choke point in PKI process b. A critical liability point, especially as relates to CRLs

3. An RA may or may not be a CA

The certificate revocation list (crl)

Of all the administrative and control mechanisms required by a PKI, the CRL function can be one of the more complex and subtle activities. The CRL is an important index of the overall trustworthiness of the specific PKI environment. Normally, it is considered part of the RA's duties. Essentially, the CRL is the instrument for checking the continued validity of the certificates for which the RA has responsibility. If a certificate is compromised, if the holder is no longer authorized to use the certificate, or if there is a fault in the binding of the certificate to the holder, it must be revoked and taken out of circulation as rapidly as possible. All parties in the trust relationship must be informed. The CRL is usually a highly controlled, online database (it may take any number of graphic forms) from which subscribers and administrators can determine the currency of a target partner's certificate.

5. Explain what a CA is, and how it operates

Certification authority (CA) certificates are certificates that are issued by one CA to another CA. These CA certificates become a part of the certificate trust hierarchy, the certificate path from end-entity certificates to the trusted root CA certificate.

The first CA certificate issued in a public key infrastructure (PKI) is a root certificate, issued by a CA to itself. Once a root CA has been created, it can be used to issue, sign, and validate CA certificates that are issued to other CAs.

Most commonly, root CAs are used to issue CA certificates to subordinate CAs in a PKI hierarchy. These subordinate CAs, in turn, can issue their own CA or end-entity certificates.

However, CA certificates can also be used to establish trust between two or more PKI hierarchies. CA certificate-based trust relationships can connect PKIs in one organization, in two organizations, or spanning multiple organizations.

Because of their critical role in establishing trust between CAs and in the certificate validation process, CA certificates are extremely powerful and critical elements of an organization’s security strategy. For this reason, CA certificates are typically configured with a variety of policy constraints to strictly define their acceptable use and to prevent their unacceptable use.

The information in the CA Certificates Technical Reference is interrelated with the information in the Certificate Services Technical Reference. The information in these two Technical Reference documents should be taken together to gain a full understanding of how Certificate Services can be implemented in Microsoft Windows 2000 and Windows Server 2003 environments.

6. Describe the CA Policy.inf file, and explain its structure

and uses

The CAPolicy.inf contains various settings that are used when installing the Active Directory Certification Service (ADCS) or when renewing the CA certificate. The CAPolicy.inf file is not required to install ADCS with the default settings, but in many cases the default settings are insufficient. The CAPolicy.inf can be used to configure CAs in these more complicated deployments.

Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder (e.g., C:\Windows) of your server before you install ADCS or renew the CA certificate.

Structure

A section is an area in the .INF file that covers a logical group of keys. A section always appears in brackets in the .INF file.

A key is the parameter that is to the left of the equal sign.

A value is the parameter that is to the right of the equal sign.

7. Describe how an Online Responder uses Online

Certificate Status Protocol (OCSP) to provide a more

efficient method for clients to determine the revocation

status of a certificate.

The Online Certificate Status Protocol (OCSP) allows organizations that manage their own Public

Key Infrastructure (PKI) to improve efficiency by offloading certificate revocation list (CRL)

checking to the server. Windows7 and Windows Vista benefit from an OCSP client, allowing

certificate revocation checking to be enabled in Internet Explorer 8 and 7 by default.

8. Explain How the Hyper-V Replica feature works.

Windows Server 2012 Hyper-V Role introduces a new capability, Hyper-V Replica, as a

built-in replication mechanism at a virtual machine (VM) level. Hyper-V Replica can

asynchronously replicate a selected VM running at a primary site to a designated replica

site across LAN/WAN. The following schematic presents this concept.

Here both a primary site and a replica site are Windows Server 2012 Hyper-V hosts where

a primary site runs production or the so-called primary VMs, while a replica site is

standing by with replicated VMs off and to be brought online, should the primary site

experiences a planned or unplanned VM outage. Hyper-V Replica requires neither shared

storage, nor a specific storage hardware. Once an initial copy is replicated to a replica site

and replication is ongoing, Hyper-V Replica will replicate only the changes of a

configured primary VM, i.e. the deltas, asynchronously.