1 00:00:07,500 --> 00:00:12,020 Before we deploy I would say you should decide several aspects. 2 00:00:12,060 --> 00:00:20,090 First you should decide whether you need to deploy and off line rude C based on that decision. 3 00:00:20,100 --> 00:00:28,770 You also need to decide if you are going to deploy a standalone route C or an enterprise route C usually 4 00:00:28,800 --> 00:00:36,270 if you deploy a single layer C hierarchy which means that you deploy only a single c. 5 00:00:36,420 --> 00:00:40,470 It is most common to choose an enterprise route C. 6 00:00:41,340 --> 00:00:50,430 However if you deploy a two layer hierarchy with a subordinate C the most common scenario is to deploy 7 00:00:51,030 --> 00:00:53,330 a standalone route C. 8 00:00:53,400 --> 00:01:02,280 This makes the route C a more secure and allows it to be taken off line except for when it needs to 9 00:01:02,640 --> 00:01:12,230 issue certificates for a new subordinate C is the next factor to consider in the operating system installation 10 00:01:12,230 --> 00:01:12,670 type. 11 00:01:13,250 --> 00:01:23,030 Both the desktop experience and the server core installations the nearest support to a DCF Server Core 12 00:01:23,030 --> 00:01:32,030 installation provides a smaller attack surface and less administrative overhead and therefore you should 13 00:01:32,030 --> 00:01:37,070 consider it for ADC s as an enterprise environment. 14 00:01:37,310 --> 00:01:48,240 In Windows Server 2016 you also can use Windows power shell to deploy and manage the ADC s role. 15 00:01:49,250 --> 00:01:56,690 You should be aware that you can not change computer names domain name or computer domain memberships 16 00:01:57,050 --> 00:02:02,150 after you deploy SCA of any type on that computer. 17 00:02:02,150 --> 00:02:08,540 Therefore it is important to determine this attributes before installing a C. 18 00:02:09,500 --> 00:02:14,770 Let's review the following details about additional considerations. 19 00:02:16,720 --> 00:02:25,300 The consideration number one cryptographic service provider that is used to generate a new key. 20 00:02:26,680 --> 00:02:37,440 The default CSP is the RSA Microsoft software key storage provider any provider whose name contains 21 00:02:37,440 --> 00:02:42,860 a number sine is A cryptography next generation provider. 22 00:02:44,480 --> 00:02:48,410 The next consideration is the key character lands. 23 00:02:48,830 --> 00:02:59,660 The default key lands for the Microsoft strong Cryptographic Provider is two thousand eighty forty eight 24 00:02:59,690 --> 00:03:01,700 sorry characters. 25 00:03:01,700 --> 00:03:06,080 This is a minimum recommend recommended value for a root C.. 26 00:03:06,470 --> 00:03:16,220 Although it is a best practice to chew the four thousand ninety six bit key The next consideration is 27 00:03:16,220 --> 00:03:26,580 the hash algorithm that is used to silence or difficult issued by a CIA the default hash algorithm is 28 00:03:27,940 --> 00:03:31,670 S H A 2 5 6. 29 00:03:31,670 --> 00:03:41,630 In previous versions of Windows Server the default hash algorithm is S H A 1 while Windows Server 2016 30 00:03:41,660 --> 00:03:52,520 ADC s still supports S H A 1 you should avoid it unless you specifically need to support older versions 31 00:03:52,520 --> 00:04:00,070 of Windows operating system as e.g. one is no longer considered secure. 32 00:04:02,010 --> 00:04:10,770 Another consideration is the related to period for certificates issued by SCA templates defined as a 33 00:04:10,770 --> 00:04:11,330 default. 34 00:04:11,330 --> 00:04:19,230 Well these four certificates you can choose various validity periods on various certificate templates 35 00:04:20,510 --> 00:04:24,590 The next consideration is the status of the root server. 36 00:04:24,720 --> 00:04:27,120 Is it online or off line. 37 00:04:27,120 --> 00:04:33,480 You should deploy the root server as an off line stand alone see if possible. 38 00:04:33,480 --> 00:04:42,570 This is list enhances security and safeguards the root certificate because it is not available to attack 39 00:04:42,570 --> 00:04:44,670 over the network. 40 00:04:44,730 --> 00:04:53,870 Now if you decide to deploy an off line standalone route C you should keep in mind some specific considerations 41 00:04:54,830 --> 00:05:03,320 before you issue a subordinate certificate from the root C. You make sure that you provide at least 42 00:05:03,350 --> 00:05:16,200 one certificate to revocation list distribution point or C DP and a ie a location that will be available 43 00:05:16,200 --> 00:05:18,360 to all clients. 44 00:05:18,360 --> 00:05:27,410 This is because if by default a standalone rootsy have a c DP and AIB located on itself. 45 00:05:27,480 --> 00:05:36,270 Therefore when you take the route C of the network revocation check will fail because the city B and 46 00:05:36,740 --> 00:05:43,080 a location will be inaccessible when you define this locations. 47 00:05:43,080 --> 00:05:53,230 You should manually copy CRL and a information to that location and other consideration is that you 48 00:05:53,470 --> 00:06:04,010 have to set a validity period for CRL is that the route CAA publishes to a long period of time. 49 00:06:04,010 --> 00:06:05,680 For example one year. 50 00:06:05,900 --> 00:06:15,830 This means that you will have to turn on the route C once per year to publish and use CRL and then you 51 00:06:15,830 --> 00:06:16,870 will have a copy. 52 00:06:16,910 --> 00:06:21,400 You have to copy it to a location that is available to clients. 53 00:06:21,620 --> 00:06:32,090 If you fail to do so after the CRL on the route C expires revocation checks for all certificates will 54 00:06:32,090 --> 00:06:41,680 also fail another consideration is that you have to use group policy to publish the route C certificate 55 00:06:42,100 --> 00:06:49,570 to a trusted route c store or local server and client computers. 56 00:06:49,570 --> 00:06:55,900 You must do this manually because a standalone C can not do it automatically. 57 00:06:55,900 --> 00:07:05,050 Unlike an enterprise C you can also publish the routes C a certificate to edit is by using the server 58 00:07:05,060 --> 00:07:07,090 to utilize the command line to.