PrepAway - Latest Free Exam Questions & Answers

You need to configure Server2 as an enterprise subordinate C

PrepAway - Latest Free Exam Questions & Answers

Your network contains an Active Directory domainnamed contoso.com.
Contoso.com contains a servernamed Server2.
You open the System propertieson Server2as shown in the exhibit:

When you attempt to configure Server2as an enterprise subordinate certification authority (CA), you
discover that the enterprise subordinate CA option is unavailable.
You need to configure Server2 as an enterprise subordinate CA.
What should you do first?

A.
Upgrade Server2 to Windows Server 2008 R2 Enterprise.
upgrade to enterprise;
the Certification Authority console

B.
Log in as an administrator and run Server Manager.
run server manager as an admin;
Active Directory Users and Computers

C.
Import the root CA certificate.
import the root CA;
the Certificates snap-in

D.
Join Server2 to the domain.
Join the server to the domain.
I had thought it was “A” because of the enterprise 2008 issue, but if this is changed in standard R2 … looking at
the fact that the info shows the Workgroup to be “W ORKGROUP,” I am inclined to answer D. Is this right? Or
should it still be A?
Brian:
This forum is for helping people with real world PKI and security issues. It is not a study board <G>
That being said, D would be my answer. Based on some of the other things I have heard about the exam, that
may not be the answer they are looking for 😉
Brian
<end quote>
“that may not be the answer they are looking for”, what does Brian mean by that? Was he deliberatelytrying to
confuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard for
root CA only? I’m talking about this, from the 70-640 Training Kit errata page:
Page 781, 1st paragraph
<begin quote>
The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows
Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but
you will not have access to all features.
Note from the Author or Editor:
Yes indeed, you can use the Standard Edition to runan Enterprise CA with limited functionality. Our
recommendation would be to use this as a root CA only.
<end quote>
If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoft
wants to hear from us, being answer A. Since the question is about an enterprise subordinate CA.
QUESTION 22
Your network contains an Active Directory domain.
The domain contains an enterprise certification authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which toolshould you use to assign permissions to Admin1?
Active Directory Sites and Services

A.
Upgrade Server2 to Windows Server 2008 R2 Enterprise.
upgrade to enterprise;
the Certification Authority console

B.
Log in as an administrator and run Server Manager.
run server manager as an admin;
Active Directory Users and Computers

C.
Import the root CA certificate.
import the root CA;
the Certificates snap-in

D.
Join Server2 to the domain.
Join the server to the domain.
I had thought it was “A” because of the enterprise 2008 issue, but if this is changed in standard R2 … looking at
the fact that the info shows the Workgroup to be “W ORKGROUP,” I am inclined to answer D. Is this right? Or
should it still be A?
Brian:
This forum is for helping people with real world PKI and security issues. It is not a study board <G>
That being said, D would be my answer. Based on some of the other things I have heard about the exam, that
may not be the answer they are looking for 😉
Brian
<end quote>
“that may not be the answer they are looking for”, what does Brian mean by that? Was he deliberatelytrying to
confuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard for
root CA only? I’m talking about this, from the 70-640 Training Kit errata page:
Page 781, 1st paragraph
<begin quote>
The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows
Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but
you will not have access to all features.
Note from the Author or Editor:
Yes indeed, you can use the Standard Edition to runan Enterprise CA with limited functionality. Our
recommendation would be to use this as a root CA only.
<end quote>
If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoft
wants to hear from us, being answer A. Since the question is about an enterprise subordinate CA.
QUESTION 22
Your network contains an Active Directory domain.
The domain contains an enterprise certification authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which toolshould you use to assign permissions to Admin1?
Active Directory Sites and Services

A.
Upgrade Server2 to Windows Server 2008 R2 Enterprise.
upgrade to enterprise;
the Certification Authority console

B.
Log in as an administrator and run Server Manager.
run server manager as an admin;
Active Directory Users and Computers

C.
Import the root CA certificate.
import the root CA;
the Certificates snap-in

D.
Join Server2 to the domain.
Join the server to the domain.
I had thought it was “A” because of the enterprise 2008 issue, but if this is changed in standard R2 … looking at
the fact that the info shows the Workgroup to be “W ORKGROUP,” I am inclined to answer D. Is this right? Or
should it still be A?
Brian:
This forum is for helping people with real world PKI and security issues. It is not a study board <G>
That being said, D would be my answer. Based on some of the other things I have heard about the exam, that
may not be the answer they are looking for 😉
Brian
<end quote>
“that may not be the answer they are looking for”, what does Brian mean by that? Was he deliberatelytrying to
confuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard for
root CA only? I’m talking about this, from the 70-640 Training Kit errata page:
Page 781, 1st paragraph
<begin quote>
The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows
Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but
you will not have access to all features.
Note from the Author or Editor:
Yes indeed, you can use the Standard Edition to runan Enterprise CA with limited functionality. Our
recommendation would be to use this as a root CA only.
<end quote>
If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoft
wants to hear from us, being answer A. Since the question is about an enterprise subordinate CA.
QUESTION 22
Your network contains an Active Directory domain.
The domain contains an enterprise certification authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which toolshould you use to assign permissions to Admin1?
Active Directory Sites and Services

Explanation:
In doubt about this one, whether to go for A (“Upgrade Server2 to Windows Server 2008 R2 Enterprise”),or D
(“Join Server2 to the domain”). Left it at D (“JoinServer2 to the domain”), because that’s undoubtedly a
necessary step we have to take here.
See below for my (messy) thoughts.
Reference:
http://social.technet.microsoft.com/Forums/nl-BE/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7cea254de5dada
[Someone asked this question to Brian Komar:]
<begin quote>
buffaloyoung
Okay, so on this same note, I’m looking at a practice test type question for the 70-640 exam that shows the
server runnning Windows Server 2008 R2 standard, and mentions that when you set up the Enterprise Sub
Certificate Authority, the Enterprise Sub CA optionis not available. The mulitple choice solutions are:

We need to use Active Directory Sites and Services to assign permissions to create certificate templates to
global or universal groups.
The first reference lists what needs to be done, the second reference explains how to do it.
Reference 1:
http://technet.microsoft.com/en-us/library/cc725621.aspx
Delegating Template Management
You can delegate the ability to manage individual certificate templates or to create any certificate templates by
defining appropriate permissions to global groups or universal groups that a user belongs to.
There are three levels of delegation for certificate template administration:
– Modify existing templates
– Create new templates (by duplicating existing templates)
– Full delegation (including modifying all existing templates and creating new ones)
Create New Templates
To delegate the ability to create certificate templates to users who are not members of the Domain Admins
group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the
appropriate permissions in the Configuration namingcontext of AD DS.
To delegate the ability to duplicate and create newcertificate templates, you must make the following
permission assignments to a global or universal group of which the user is a member:
Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public
Key Services,CN=Services,CN=Configuration,DC=ForestRoot.
Grant Full Control permission to every certificate template in the following container: CN=Certificate
Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions
assigned to the Certificate Templates container arenot inherited by the individual certificate templates.
Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,
CN=Services,CN=Configuration,DC=ForestRoot container.
Reference 2:
Windows Server 2008 – PKI and Certificate Security (Microsoft Press, 2008)
page 298
Delegate Permissions for Creation of New Templates
You can delegate the permission to create new templates by assigning permissions to a custom universal
group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,
ForestRootDomaincontainer.
1. Log on as a member of the Enterprise Admins groupor the forest root domain Domain Admins group.
2. Open theActive Directory Sites And Servicesconsole.
3. From the View menu, ensure that the Show ServicesNode setting is enabled.
4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.
5. In the console tree, right-click Certificate Templates, and then click Delegate Control.
6. In the Delegation Of Control wizard, click Next.
7. On the Users Or Groups page, click Add.
8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.
9. On the Users Or Groups page, click Next.
10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.
11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation
Of New Objects In This Folder, and then click Next.
12.On the Permissions page, in the Permissions list, enable Full Control, and then click Next.
13.On the Completing The Delegation Of Control wizard page, click Finish.


Leave a Reply