Your network contains an Active Directory domainnamed contoso.com.
Contoso.com contains a member serverthat runs Windows Server 2008 R2 Standard.
You need to create an enterprise subordinate certification authority (CA) that can issue certificates
based on version 3 certificate templates.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?

A.
Run the certutil.exe – addenrollmentserver command.

B.
Install the Active Directory Certificate Services(AD CS) role on the member server.

C.
Upgrade the member server to Windows Server 2008 R2 Enterprise.

D.
Run the certutil.exe – installdefaulttemplates command.

Explanation:
http://technet.microsoft.com/en-us/library/cc725838.aspx
Certificate Template Versions
Active Directory Certificate Services (AD CS) provides these versions of certificate templates that are available
on enterprise certification authorities (CA).
Version 3 certificate templates
In addition to version 2 template features and autoenrollment, version 3 certificate templates providesupport for
Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify
cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.
Template availability
Windows Server 2008 R2, all editions
Windows Server 2008, Enterprise and Datacenter editions
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/
Q_26736075.html
Windows 2008 R2 Standard or Enterprise for CA
..
With some of the new features in R2 you could technically scrape by with Standard, but you really wantto do
Enterprise edition for your online subordinate CA so you have access to all the features that will make things
easier to manage and to ensure that you have accessto potential future requirements.
..
Old info:
At first I changed the answer to B (“Install the Active Directory Certificate Services (AD CS) role onthe member
server.”) and I reasoned like this:
Version 3 certificates are supported on Windows Server 2008 R2 Standard, so there’s no upgrade to
Enterprise necessary. The first thing to do would be to install the Active Directory Certificate Services (AD
CS) role.
Reference 1:
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificatetemplates.aspx
“Version 3 templates are supported by CAs installedon Windows Server 2008 Enterprise and Datacenter
Editions. They are also supported by CAs installed on Windows Server 2008 R2 Standard, Enterprise,
Datacenter, Foundation and Server Core Editions.”
Reference 2:
http://technet.microsoft.com/en-us/library/cc772192.aspx
To install a subordinate CA
1. Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services.
Click Next two times.
2. (…)
While this still may be true I left it at the original answer C (“Upgrade the member server to WindowsServer
2008 R2 Enterprise”). Quite frankly, I’m not sure whether it’s right or wrong. Hopefully someone can clear this
up once and for all.
Some other notes and quotes I collected:
————————————————–
MS Press Training Kit 70-640 – 2nd Edition
page 781
“Enterprise CAs can run only on Windows Server 2008R2 Enterprise edition or Windows Server 2008 R2
Datacenter edition.”
Errata:
“This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all
features.”
Note from the Author or Editor:
Yes indeed, you can use the Standard Edition to runan Enterprise CA with limited functionality. Our
recommendation would be to use this as a root CA only.
——————————-Reference:
http://technet.microsoft.com/en-us/library/cc725838.aspx
Version 3 certificate templates
In addition to version 2 template features and autoenrollment, version 3 certificate templates providesupport for
Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify
cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.
Template availability
Windows Server 2008 R2, all editions
Windows Server 2008, Enterprise and Datacenter editions
————————–http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7cea254de5dada/
I am looking for some clarifaction on deploying a W indows Server 2008 R2 Standard CA and version 2 and
version 3 certificates. I currently have a Windows Server 2008 Standard CA.
Server 2008 Standard can only issue certificates based on V1 certificate templates.
Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates
Windows Server 2008 does not equal Windows Server 2008 R2
This ability was introduced with the Windows server2008 R2 sku
you will have one of two choices:
– Upgrade to Server 2008 Enterprise
– Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise
Brian Komar, thank you for the answer!
I have another question. In Training Kit (Exam 70-640) described: “Enterprice CAs can run only on
Windows Server 2008 R2 Enterprise edition or Datacenter edition”. Is it true? If yes, how we can issue
certificate based on V3 certificate templates on Windows Server 2008 R2 Standard?
The training kit is incorrect. It probably was updated from Windows Server 2008 (or Windows Server
2003) where the statement was correct
Brian