You are an Active Directory administrator for Contoso, Ltd. You have a properly configured certification
authority (CA) in the contoso.com Active Directory Domain Services (AD DS) domain. Contoso employees
authenticate to the VPN by using a user certificate issued by the CA.
Contoso acquires a company named Litware, Inc., and establishes a forest trust between contoso.com
and litwareinc.com. No CA currently exists in the litwareinc.com AD DS domain. Litware employees do
not have user accounts in contoso.com and will continue to use their litwareinc.com user accounts.
Litware employees must be able to access Contoso’s VPN and must authenticate by using a user
certificate that is issued by Contoso’s CA.
You need to configure cross-forest certificate enrollment for Litware users.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Grant the litwareinc.com AD DS Domain Computers group permissions to enroll for the VPN template
on the Contoso CA.
B.
Copy the VPN certificate template from contoso.com to litwareinc.com.
C.
Add Contoso’s root CA certificate as a trusted root certificate to the Trusted Root Certification
Authority in litware.com.D. Configure clients in litwareinc.com to use a Certificate Policy server URI that contains the location of
Contoso’s CA.
I’ve also seen AC as answer. I.m.o. C can’t be correct because Litware does not have a CA.
I think AD might be correct.
0
0
i think CD are correct
http://www.aiotestking.com/microsoft/contoso-employees-authenticate-to-the-vpn-by-using-a-user-certificate-issued-by-the-c/
0
0
I, also, think C and D are correct. For C, if you push Contoso’s root cert via GPO it’ll install to the Trusted Root on each local system. Then just point the clients to Contoso.
0
0