馃攳
What is new in Certificate Services 2008 R2 - YouTube
Channel: unknown
[0]
in this video from IT free training I
[2]
will look at the new features that are
[4]
available in Active Directory
[5]
certificate services in Windows Server
[7]
2008 r2 there are three new features
[11]
included in Active Directory certificate
[13]
services in Windows Server 2008 r2 these
[16]
are web enrollment certificate
[19]
enrollment across forests and better
[21]
support for high volume CAS I will look
[24]
at each of these features individually
[26]
starting with web enrollment to
[29]
understand how web enrollment works and
[31]
thus how it can be used consider how a
[34]
standard client communicates with other
[36]
domain numbers when you add a computer
[39]
to the domain security settings are
[42]
configured on the client and in Active
[44]
Directory that allow the client to
[46]
establish a secure connection between
[48]
the client and the server they are
[50]
communicating with the problem occurs
[52]
when the client is outside the domain
[55]
boundary this could be for two reasons
[57]
first the client may not be able to get
[60]
a direct connection back to the network
[61]
that is the client is mobile and cannot
[64]
access the company due to a firewall
[66]
most companies would allow the user to
[68]
connect back to the network using a VPN
[71]
but perhaps this is not available or
[73]
perhaps the company wants the user to
[75]
access certificate services without
[78]
having to worry about using a VPN the
[81]
second scenario is when you have a
[83]
client outside the domain that is not a
[85]
member of the domain perhaps the company
[88]
has a business partner that they do a
[90]
lot of work with and they want to give
[92]
them a certificate in this case the
[95]
business partner will never be a member
[97]
of the domain web enrollment works by
[101]
having a server that is available on the
[103]
Internet using HTTP web enrollment
[107]
provides a proxy like service to the
[109]
certificate authority since the web
[111]
enrollment service is on a server that
[114]
is part of the domain it can use a
[116]
secure channel to communicate back to
[119]
the certificate authority this means
[121]
that the certificate authority is never
[123]
connected directly to the Internet and
[125]
thus is protected from attack before we
[129]
can start using the new Active Directory
[130]
web enrollment component
[132]
your network needs to meet a few
[135]
requirements first your forest
[137]
functional level needs to be Windows
[138]
Server 2008 r2 forest level in order to
[142]
raise your forest functional level to
[144]
Windows Server 2008 r2 this essentially
[147]
means that all domain controllers in
[149]
your domain need to be Windows Server
[151]
2008 r2 or above the next requirement is
[155]
that your CA needs to be running Windows
[158]
Server 2003 or above for the clients you
[161]
require Windows 7 or above there is one
[164]
more requirement if you are using
[166]
certificates across forests if you do
[169]
this the CA needs to be running the
[171]
enterprise or datacenter edition of
[173]
Windows Server certificate services now
[177]
supports enrollment across forests
[179]
before this if you wanted to use
[181]
certificates in two different forests
[183]
you would need to deploy a separate
[186]
certificate infrastructure in each
[187]
forest now you can install Active
[190]
Directory certificate services in the
[192]
one forest and use it in both forests in
[196]
order to do this you require a two-way
[199]
transitive trust between the two forests
[201]
this essentially means that both forests
[204]
need to be at least Windows Server 2003
[207]
functional level this will allow one
[210]
forest to issue certificates to the
[212]
other forest however in order to support
[214]
enrollment your forest functional level
[216]
needs to be Windows Server 2008 r2
[219]
enrollment means that the client can
[222]
automatically obtain a certificate
[224]
install it and start using it without
[227]
enrollment the user would need to
[229]
manually obtain the certificate and
[231]
install it manually themselves if you
[234]
already have two forests with a separate
[237]
certificate infrastructure using
[239]
enrollment across forests will allow you
[242]
to remove one of the certificate
[243]
infrastructures making your certificate
[246]
environment a lot simpler the next new
[250]
feature is better support for CAS that
[253]
issue a lot of certificates or
[255]
high-volume CAS to understand how this
[258]
feature works consider what happens when
[260]
a certificate is issued by a CA when a
[263]
new certificate is generated a copy is
[265]
given to the
[266]
client that requested it and another
[268]
copy is stored in the certificate
[270]
database if you have a CA that issues a
[274]
lot of certificates this means a lot of
[277]
certificates need to be stored in the
[278]
local certificate database a larger
[281]
certificate database means more load on
[283]
the server an example of this is network
[287]
access protection or nap-nap issues
[290]
health certificates to clients when a
[292]
client connects to the network nap
[294]
checks the client to see it meets the
[296]
minimum requirements to access the
[298]
network checks that are performed are
[300]
that antivirus software is running and a
[303]
firewall is enabled the health
[305]
certificates that are issued have a
[307]
short life span this means that multiple
[310]
certificates could be requested by the
[311]
same client in the same day if you have
[315]
a large network with a lot of clients
[317]
that all use NAP that would be a lot of
[321]
certificates that need to be issued on a
[322]
daily basis in order to reduce the load
[326]
on the CA the high-volume CA option can
[329]
be enabled this essentially means that
[331]
when a certificate is issued it is not
[333]
stored in the certificate database on
[335]
the certificate authority this reduces
[338]
the load on the CA the disadvantage of
[341]
this option is that if a certificate is
[343]
issued and you later on want to revoke
[345]
this certificate revoking simply means
[348]
cancelling the certificate so it can no
[350]
longer be used you will not be able to
[352]
do this revoking a certificate requires
[356]
a copy of the certificate to be present
[358]
in the certificate database in the case
[361]
of NAP certificates the certificates are
[363]
not valid for very long so the period of
[366]
time a certificate could be used or
[368]
misused is very small in order to
[371]
improve performance a company may decide
[374]
to switch on the high-volume option and
[376]
accept the risk associated with not
[378]
being able to revoke a certificate once
[380]
it is issued if you do decide to switch
[383]
on this option it is referred to as non
[386]
persistent certificate processing and
[388]
requires Windows Server 2008 r2 or above
[392]
if you have a performance problem on
[394]
your certificate authority servers this
[397]
option should improve performance on
[399]
that CA
[400]
this covers the new features included in
[403]
Windows Server 2008 r2 for Active
[405]
Directory certificate services I hope
[408]
you enjoy this video and have a look at
[410]
some of our other free videos for more
[413]
free videos for this course and others
[414]
please feel free to subscribe or visit
[417]
our website thanks for watching and see
[420]
you next time
Most Recent Videos:
You can go back to the homepage right here: Homepage