Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Explanation:
Best Practices include: Duplicate new templates from existing templates closest in function to the
intended template.
New certificate templates are duplicated from existing templates. Many settings are copied from the
original template. Because of this, duplicating one template to another of a totally different type
may carry over some unintended settings. When duplicating a template, examine the subject type of
the original template and ensure that you duplicate one that has a similar function to that of the
intended template. Although most settings for certificate templates can be edited once the template
is duplicated, the subject type cannot be changed.Deploying Certificate Templates
https://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
agreed.
0
0
Should be B, D. Not A, D
0
0
i also go with B, D
0
0
Me too
0
0
I’d actually go with A,B since there is only two actions requested. This question is a bit ambiguous.
Normally you’d duplicate a template (D), then modify it (A) and finally issue template for use (B). Since the Code Signing certificate template already exists by default, I guess you can skip the first step leaving you with options A and B.
0
0
In one of the previous versions there is a big discussion about this: http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-598/
It seems people can’t agree on this. However, after testing in my lab, I’d stick with B and D since duplicating the template automatically brings up the properties box for the template – allowing you to enable auto-enrollment in one go. After that, you’d only have to issue the template for use.
0
0
B, D. Duplicating template allows for modification of duplicated one immediately, so in one hit we can duplicate and change ACL. Then only B – allow to issue.
0
0
B is surely right for definite, you have to issue a new template for people to be able to request a new certificate.
Then either A or D, depends whether it is enrol permissions or autoenrol permissions they need. If they need autoenrol you have to duplicate the template, but enrol permissions can be assigned to the existing template
0
0
B/D
0
0
has to be A/B:
Billy says:
February 17, 2015 at 6:18 am
I think there is some confusion on this question. It states the users in the group must be able to REQUEST the certificate, and that the cert is automatically issued. This implies Read and Enroll permission is necessary on the certificate, since they will request the certificate themselves, and with ‘Enroll’ permission, the CA will automatically issue them the certificate.
The question does not simply state that the certificate must be automatically issued to every user in the group, which is what the ‘Autoenroll’ permission would do.
With that, you would go into CA > Cert Templates > right-click and select Manage to get the Templates window. Right-click Code Signing certificate and select Properties. Go to Security, add Group1 to the list and specify the Read and Enroll permissions. Save that.
Once that is done, you go back to the CA window, right-click Cert Templates > New > Cert Template to be Issued and select the Code Signing certificate.
1
0
Wonderful story, reckoned we could combine a couple of unrelated data, nevertheless seriously worth taking a search, whoa did one find out about Mid East has got more problerms at the same time.
0
0
I just tried in my farm. Actually there is just one thing that making confuse people mind.
the actual word mean “Dublicate” and “Modify”
I think we all agree on answer (dublicate the template) is the part of the solution. So while we are agree on this, if we dublicate the cert temp, we are not modifying anymore it. We are creating new from template. And what we are doing after dublicated it, that’s not modifying that, just editing new template.
BUT IF, we edit which certificate is already exist, then we can say we are “modifying” that. I think that, Dublicate the template also includes modify it.
Then question says it should be “issued automatically” so we have to approve our template to be issue. Dublicating this template, not mean that your certificate is ready to use. Without put in the issued certificates, It’s just a template..
Add the new template to the CA. Right click Certificate Templates > New > certificate template to issue > choose the template you just created.
I will go with B&D (dublicate and issue)
0
0