Assignment 70-412

1. Briefly describe the information that each AD DS

partition stores.
Configuration
Contains the Configuration container, which stores configuration objects for the
entire forest in cn=configuration,dc= forestRootDomain . Updates to this container
are replicated to all domain controllers in the forest. Configuration objects store
information about sites, services, and directory partitions. You can view the
contents of the Configuration container by using ADSI Edit.
Schema
Contains the Schema container, which stores class and attribute definitions for all
existing and possible Active Directory objects in cn=schema,cn=configuration,dc=
forestRootDomain . Updates to this container are replicated to all domain
controllers in the forest. You can view the contents of the Schema container in the
Active Directory Schema console.
Domain
Contains a < domain > container (for example, the Reskit.com container), which stores
users, computers, groups, and other objects for a specific Windows 2000 domain (for
example, the Reskit.com domain). Updates to the < domain > container are replicated
to only domain controllers within the domain and to Global Catalog servers if the update
is made to an attribute that is marked for replication to the Global Catalog. The <
domain > container is displayed in the Active Directory Users and Computers console.
The hierarchy of domain directory partitions can be viewed in the Active Directory
Domains and Trusts console, where trust relationships between domains can be
managed.

2. Describe the benefits for using Distributed File System

(DFS) Replication as opposed to the File Replication
Service (FRS) for replication processes.
3. Describe the
replication

options

for

Rename the Default-First-Site-Name object

Create new Site objects
Create Subnet objects
Create Site Link objects
Designate bridgehead servers

configuring

intersite

4. Briefly describe each component of the PKI solution

Certification Authority (CA)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

A person or institution
Trusted by others
Vouch for the authenticity of a public key
May be a principal (e.g., management, bank, credit card issuer)
Secretary of a "club" (e.g., bank clearing house)
A government agency or designee (e.g., notary public, DMV, or post office)
An independent third party operating for profit (e.g., VeriSign)
Makes a decision on evidence or knowledge, after due diligence
Records the decision by signing a certificate with its private key
Authorizes issuance of certificate

Registration Authority (RA)

1. Manages certificate life cycle, including:
a. Certificate directory maintenance
b. CRL (certificate revocation list(s)) maintenance and publication
2. thus can be:
a. A critical choke point in PKI process
b. A critical liability point, especially as relates to CRLs
3. An RA may or may not be a CA
The certificate revocation list (crl)
Of all the administrative and control mechanisms required by a PKI, the CRL function can be one
of the more complex and subtle activities. The CRL is an important index of the overall
trustworthiness of the specific PKI environment. Normally, it is considered part of the RA's duties.
Essentially, the CRL is the instrument for checking the continued validity of the certificates for
which the RA has responsibility. If a certificate is compromised, if the holder is no longer
authorized to use the certificate, or if there is a fault in the binding of the certificate to the holder, it
must be revoked and taken out of circulation as rapidly as possible. All parties in the trust
relationship must be informed. The CRL is usually a highly controlled, online database (it may take
any number of graphic forms) from which subscribers and administrators can determine the
currency of a target partner's certificate.

5. Explain what a CA is, and how it operates

Certification authority (CA) certificates are certificates that are issued by one CA
to another CA. These CA certificates become a part of the certificate trust
hierarchy, the certificate path from end-entity certificates to the trusted root CA
certificate.
The first CA certificate issued in a public key infrastructure (PKI) is a root
certificate, issued by a CA to itself. Once a root CA has been created, it can be
used to issue, sign, and validate CA certificates that are issued to other CAs.
Most commonly, root CAs are used to issue CA certificates to subordinate CAs in
a PKI hierarchy. These subordinate CAs, in turn, can issue their own CA or endentity certificates.
However, CA certificates can also be used to establish trust between two or more
PKI hierarchies. CA certificate-based trust relationships can connect PKIs in one
organization, in two organizations, or spanning multiple organizations.

Because of their critical role in establishing trust between CAs and in the
certificate validation process, CA certificates are extremely powerful and critical
elements of an organizations security strategy. For this reason, CA certificates
are typically configured with a variety of policy constraints to strictly define their
acceptable use and to prevent their unacceptable use.
The information in the CA Certificates Technical Reference is interrelated with the
information in the Certificate Services Technical Reference. The information in
these two Technical Reference documents should be taken together to gain a full
understanding of how Certificate Services can be implemented in Microsoft
Windows 2000 and Windows Server 2003 environments.

6. Describe the CA Policy.inf file, and explain its structure

and uses
The CAPolicy.inf contains various settings that are used when installing the Active Directory
Certification Service (ADCS) or when renewing the CA certificate. The CAPolicy.inf file is not
required to install ADCS with the default settings, but in many cases the default settings are
insufficient. The CAPolicy.inf can be used to configure CAs in these more complicated
deployments.
Once you have created your CAPolicy.inf file, you must copy it into the %systemroot% folder (e.g.,
C:\Windows) of your server before you install ADCS or renew the CA certificate.
Structure

A section is an area in the .INF file that covers a logical group of keys. A section always appears
in brackets in the .INF file.
A key is the parameter that is to the left of the equal sign.
A value is the parameter that is to the right of the equal sign.

7. Describe how an Online Responder uses Online

Certificate Status Protocol (OCSP) to provide a more
efficient method for clients to determine the revocation
status of a certificate.
The Online Certificate Status Protocol (OCSP) allows organizations that manage their own Public
Key Infrastructure (PKI) to improve efficiency by offloading certificate revocation list (CRL)
checking to the server. Windows7 and Windows Vista benefit from an OCSP client, allowing
certificate revocation checking to be enabled in Internet Explorer 8 and 7 by default.

8. Explain How the Hyper-V Replica feature works.

Windows Server 2012 Hyper-V Role introduces a new capability, Hyper-V Replica, as a
built-in replication mechanism at a virtual machine (VM) level. Hyper-V Replica can
asynchronously replicate a selected VM running at a primary site to a designated replica
site across LAN/WAN. The following schematic presents this concept.

Here both a primary site and a replica site are Windows Server 2012 Hyper-V hosts where
a primary site runs production or the so-called primary VMs, while a replica site is
standing by with replicated VMs off and to be brought online, should the primary site
experiences a planned or unplanned VM outage. Hyper-V Replica requires neither shared
storage, nor a specific storage hardware. Once an initial copy is replicated to a replica site
and replication is ongoing, Hyper-V Replica will replicate only the changes of a
configured primary VM, i.e. the deltas, asynchronously.