Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates.
The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Explanation:
The correct answers should be A and D: First duplicate it, then modify it
http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-applicationsusing-an-internal-pki.aspx
The section on “Creating a Custom Certificate Template” shows steps to create and states…
…”New certificate templates are created by copying an existing template and using the existing
template’s properties as the default for the new template. Copy the existing certificate template
closest to the configuration of the intended new template to minimize the work necessary.”
This is step 2 in the creation process. Step 4 is to make desired changes.
Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://technet.microsoft.com/en-us/library/cc700804.aspx
I think the answer is INCORRECT. Yjis can have 2 directions.
1)
D) duplicate certificate template
B) Add certificate template to be issued.
This is the proposed method. This will work if we modify the template when we duplicate it. Otherwise it will not have the AUTO Enroll permissions.
2)
A) modify the certificate template
B) add sertificate template to be issued
this is NOT the proposed method (MS wants us to Always create a duplicate).
The given answer will not work as we only DUPLICATE and MODIFY a certificate template. For it to work, we need to Add a certificate to be issued
1
1
I’m inclined to agree. Since we have the opportunity to edit a template while duplicating it (and before we click OK to create the duplicate), the only way to do this with 2 choices is to D – Duplicate, followed by B – Issue.
0
1
Seeing so many arguments on http://www.aiotestking.com/microsoft/which-two-actions-should-you-perform-598/ I decided to grow a pair and test it in my lab.
I’ve installed the CA role and created a group named Group1. I’ve used the User template.
Once installed, I’ve opened the CA mmc and went to the Certificate Templates folder.
I’ve tried to modify the User template but you can’t change jack shit.
I then went ahead and opened the CA Templats Console window. I’ve double clicked on the User template and now I can change stuff on the Security tab, however I can only add the “enroll” right to Group1, and not autoenroll as this question mentions. The only way is to achieve that is to duplicate the User template, only then you can modify the autoenroll rights.
So, the answer is -> Duplicate the template, modify the security tab to add Group1 Read, (Enroll maybe) and AutoEnroll rights, save it and publish it.
D, A and the next step is B
0
1
D. From Certificate Templates, duplicate a certificate template
B. From Certification Authority, add a certificate template to be issued
When you duplicate the template you are automatically put into the Properties dialog box where you change anything you want.
So “A. From Certificate Templates, modify the certificate template” would only be necessary if you forgot something and had to go back later.
After you’ve got your new cert template you must B so that people can request this cert.
0
0
Forgot to say re Autoenroll, when I clicked Duplicate on the Code Signing template, and got put into the Properties dialog box, I was able to go to the Security tab, add Group1 and give it the Autoenroll and Enroll permissions and save it. So I don’t think that’s relevant.
0
0
Answer: D & B
As far as I can tell after seeing quite a number of similar questions, is that Duplicating a template is also assuming you are customizing any property on the template at the time that it is customized. In order for the template to be issued by the CA, it must be issued to the CA (certificate template to issue).
In my opinion it was a poor decision for MS to assume duplicating meant modifying properties, since you can duplicate and click OK without changing any settings, but.
1
0
Side note, the auto enroll security setting is not an option on the default code signing template, so it must be duplicated in order to allow auto enroll.
0
0