Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member
server that runs Windows Server 2008 R2 Standard.
You need to create an enterprise subordinate certification authority (CA) that can issue certificates based on
version 3 certificate templates.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A.
Run the certutil.exe – addenrollmentserver command.
B.
Install the Active Directory Certificate Services(AD CS) role on the member server.
C.
Upgrade the member server to Windows Server 2008 R2 Enterprise.
D.
Run the certutil.exe – installdefaulttemplates command.
Explanation:
At first I changed the answer to B (“Install the Active Directory Certificate Services (AD CS) role onthe member
server.”), and I reasoned like this:
Version 3 certificates are supported on Windows Server 2008 R2 Standard, so there’s no upgrade to
Enterprise necessary. The first thing to do would be to install the Active Directory Certificate Services (AD
CS) role.
Reference 1:
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx
“Version 3 templates are supported by CAs installedon Windows Server 2008 Enterprise and Datacenter
Editions. They are also supported by CAs installed on Windows Server 2008 R2 Standard, Enterprise,
Datacenter, Foundation and Server Core Editions.”
Reference 2:
http://technet.microsoft.com/en-us/library/cc772192.aspx
To install a subordinate CA
1. Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services.
Click Next two times.
2. (…)
While this still may be true I left it at the original answer C (“Upgrade the member server to WindowsServer
2008 R2 Enterprise”). Quite frankly, I’m not sure whether it’s right or wrong. Hopefully someone can clear this
up once and for all.
Some other notes and quotes I collected:
————————————————–MS Press Training Kit 70-640 – 2nd Edition
page 781
“Enterprise CAs can run only on Windows Server 2008R2 Enterprise edition or Windows Server 2008 R2
Datacenter edition.”
Errata:
“This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all
features.”
Note from the Author or Editor:
Yes indeed, you can use the Standard Edition to runan Enterprise CA with limited functionality. Our
recommendation would be to use this as a root CA only.
——————————-Reference:
http://technet.microsoft.com/en-us/library/cc725838.aspx
Version 3 certificate templates
In addition to version 2 template features and autoenrollment, version 3 certificate templates providesupport for
Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify
cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.
Template availability
Windows Server 2008 R2, all editions
Windows Server 2008, Enterprise and Datacenter editions
————————–http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7c-ea254de5dada/
I am looking for some clarifaction on deploying a W indows Server 2008 R2 Standard CA and version 2 and
version 3 certificates. I currently have a Windows Server 2008 Standard CA.
Server 2008 Standard can only issue certificates based on V1 certificate templates.
Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates
Windows Server 2008 does not equal Windows Server 2008 R2
This ability was introduced with the Windows server2008 R2 sku
you will have one of two choices:
– Upgrade to Server 2008 Enterprise
– Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise
Brian Komar, thank you for the answer!
I have another question. In Training Kit (Exam 70-640) described: “Enterprice CAs can run only on
Windows Server 2008 R2 Enterprise edition or Datacenter edition”. Is it true? If yes, how we can issue
certificate based on V3 certificate templates on Windows Server 2008 R2 Standard?
The training kit is incorrect. It probably was updated from Windows Server 2008 (or Windows Server
2003) where the statement was correct
Brian
It looks like all of the references in the explanation indicate that 2008 R2 Standard supports V3 certificates. Since Standard edition supports both V3 certificate templates and supports installation of the enterprise CA role, I would say that the answer should be B.
0
0
Correct answer is B. Because all version of the windows server 2008 r2 supported V3 Templates.
http://technet.microsoft.com/en-us/library/cc725838.aspx
0
0
I agree. I think there`s a hint in “You must achieve this goal by using the minimum amount of administrative effort.” As there are two possible solutions and the one is way easier than the other.
0
0