Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs a Server Core installation of Windows Server 2012 R2.
You need to deploy a certification authority (CA) to Server1. The CA must support the autoenrollment of certificates.
Which two cmdlets should you run? (Each correct answer presents part of the solution. Choose
two.)
A.
Add-CAAuthoritylnformationAccess
B.
Install-AdcsCertificationAuthority
C.
Add-WindowsFeature
D.
Install-AdcsOnlineResponder
E.
Install-AdcsWebEnrollment
Explanation:
B)
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS
CA role service. It can be used to install a root CA.
Example:
Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName “ContosoRootCA”
–KeyLength 2048 –HashAlgorithm SHA1 –CryptoProviderName “RSA#Microsoft Software Key
Storage Provider”
E: The Install-AdcsWebEnrollment cmdlet performs initial installation and configuration of the
Certification Authority Web Enrollment role service.
Note: Prior to the availability of Certificate Enrollment Web Services, AD CS required that client
computers configured for certificate auto-enrollment be connected directly to the corporate
network. Certificate Enrollment Web Services allows organizations to enable AD CS using a
perimeter network. This allows users and computers outside the corporate network to enroll for
certificates.
Certificate Enrollment web service Deploying AD CS Using Windows PowerShell
Answer should be :
– Add-WindowsFeature (install adcs binaries)
– Install-AdcsCertificationAuthority (install ADCS with the needed cert auto-enroll
3
0
I agree with answer. The Install-ADCSCertificationAuthority cmdlet is the right one to install that role according to Technet, https://technet.microsoft.com/en-us/library/hh848389(v=wps.630).aspx
0
0
We started with a server core installation and we need the binaries installation.
Answer: B,C
3
0
The explanation posted confirms that we need to install binaries first ADD-WindowsFeature then to configure the role Install-AdcsCertificationAuthority
Correct ans is B,C
2
0
B and C
0
0
WebEnrollment does not matter for this task, but binaries are needed.
so forget about E and choose C instead
0
0
Indeed, everything points towards installing the binaries first, then setting up the ADCS services. As pet the auto-enrollment – there’s no PS command dealing with that amongst the answers.
Ref:
https://technet.microsoft.com/en-us/itpro/powershell/windows/pki/set-certificateautoenrollmentpolicy – if you’re doing it over PS
http://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll – if you’re doing it over GPO
Having said that, I’d go with B&C too.
1
0
B and C confirmed in lab.
Installed a server core installation of Server 2012 R2 and tried to do B first using the example in the explanation:
Install-AdcsCertificationAuthority –CAType StandaloneRootCA CACommonName “ContosoRootCA” –KeyLength 2048 –HashAlgorithm SHA1 -CryptoProviderName “RSA#Microsoft Software Key Storage Provider”
ALMOST IMMEDIATELY… it errored out stating that “Install-ADCSCer…” is not a valid command.
I then did “Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools” which succeeded without problem. so C is a must-have.
I then scrolled up through my history of commands back to the Install-ADCSCertificationAuthority rather than type it in again to ensure that I’m using the same exact command as I typed before. This time I got a syntax error in one of my switches, didn’t bother to check what. But this confirms that powershell in server core now recognizes this Install command after adding ACDS.
When I did just Install-ADCSCertificationAuthority without any switches, it then went to “questionnaire” mode.
B & C are confirmed from my lab test!
8
0