Yournetwork contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
Youneed to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Explanation:
Best Practices include: Duplicate new templates from existing templates closest in function to the
intended template.
New certificate templates are duplicated from existing templates. Many settings are copied from
the original template. Because of this, duplicating one template to another of a totally different
type may carry over some unintended settings. When duplicating a template, examine the subject
type of the original template and ensure that you duplicate one that has a similar function to that
of the intended template. Although most settings for certificate templates can be edited once the
template is duplicated, the subject type cannot be changed. Deploying Certificate Templates
https://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx
Answer is not correct.
Now we have Created a Duplicate and MOdified it. To make is usable, we need to Publish it.
Would rather choose for :
A) From Certificate Templates, modify the certificate template;
B) From Certifiation Authority, Add a certificate template to be issued
0
0
the certificate must be duplicated for autoenroll
for me it’s B and D
0
0
B and D . You get the option to modify the cert during the copy phase
0
0
Not sure… You need to modify template to add Group1? While you’re modifying you can tick read and autoenroll in Security tab?
So more likely A and D…
I thought B and D also at first, until I read that Group1 needs to be able to request only.
0
0
No! Read Carefuly: “The certificates must be issued automatically to the members” – thats means Autoenroll.
So B and D for me.
0
0
Answer: A & B
Best practice would be: D, then A, then B.
Auto Enroll can be enabled on an existing Template.
Since it is a pick 2 I would go with A & B and just assume the template had not previously been issued to the CA.
0
0