Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Explanation:
Best Practices include: Duplicate new templates from existing templates closest in function to the
intended template.
New certificate templates are duplicated from existing templates. Many settings are copied from the
original template. Because of this, duplicating one template to another of a totally different type
may carry over some unintended settings. When duplicating a template, examine the subject type of
the original template and ensure that you duplicate one that has a similar function to that of the
intended template. Although most settings for certificate templates can be edited once the template
is duplicated, the subject type cannot be changed.Deploying Certificate Templates
https://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
I think it might be B & D. When you duplicate the template it opens the properties of the new template to be configured
0
0
It’s A & D
You always need to duplicate
Then you must modify
0
0
B is absolutely required. Without it, users can’t request a cert at all.Part of the duplication is configuring the new copy. Duplicate it (configuring it) and then issue it.
B and D.If question asked for 3 steps, then i would also include A
0
0
It’s A & B.
Like previous comments mentioned, B is most. Without adding the certificate to the CA it simply can’t be issued.
Now, as for A – it is true that usually you would duplicate a template if you need to change it, but that is not mandatory only when the changes you are about to do are in the security tab of the template – you can change the permissions of the template without duplicating it. By adding the auto-enroll permission to the group you are accomplishing the requirements of the question.
The following blog post detail the procedure:
https://blogs.technet.microsoft.com/heyscriptingguy/2010/06/16/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-1-of-2/
1
0
It’s not possible to assign the “auto-enroll” permission to the certificate template unless you duplicate it. Even the URL you point to shows that.
It’s A & D.
0
0
There were a lot of arguments at here.
http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-598/
0
0