Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. The system properties
of Server1 are shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
What should you do first?
A.
Add RAM to the server.
B.
Set the Startup Type of the Certificate Propagation service to Automatic.
C.
Install the Certification Authority Web Enrollment role service.
D.
Join Server1 to the contoso.com domain.
Explanation:
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.
Enterprise subordinate certification authority
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can
then issue certificates to all users and computers in the enterprise. These types of CAs are
often used for load balancing of an enterprise root CA.
Enterprise CAs can be used to issue certificates to support such services as digital
signatures, Secure Multipurpose Internet Mail Extensions (S/MIME) secure mail, Secure
Sockets Layer (SSL) or Transport Layer Security (TLS) secured web access and smart card
authentication. Enterprise CAsare used to provide certificate services to internal users who
have user accounts in the domain.Requiring Active Directory, an Enterprise subordinate CA obtains its certificate from an
already existing CA.
These types of CAs are used to provide smart-card-enabled logons by Windows XP and
other Windows Server 2003 machines.
After a root certification authority (CA) has been installed, many organizations will install one
or more subordinate CAs to implement policy restrictions on the public key infrastructure
(PKI) and to issue certificates to end clients. Using at least one subordinate CA can help
protect the root CA from unnecessary exposure. If a subordinate CA will be used to issue
certificates to users or computers with accounts in an Active Directory domain, installing the
subordinate CA as an enterprise CA allows you to use the client’s existing account data in
Active Directory Domain Services (AD DS) to issue and manage certificates and to publish
certificates to AD DS. Membership in local Administrators, or equivalent, is the minimum
required to complete this procedure. If this will be an enterprise CA, membership in Domain
Admins, or equivalent, is the minimum required to complete this procedure.
Answer = D
http://technet.microsoft.com/en-us/library/cc772192.aspx
Because it is enterprise, It must be part of the domain. If it was standalone, then workgroup is fine
The answer is B
Fdmo why B?
If a subordinate CA will be used to issue certificates to users or computers with accounts in an Active Directory domain, installing the subordinate CA as an enterprise CA allows you to use the client’s existing account data in Active Directory Domain Services (AD DS) to issue and manage certificates and to publish certificates to AD DS.
Answer: D , bobsmith is right.
answer is D
What should you do first? Before you configure anything add it to the domain (it is going to be an enterprise CA)
what I don’t understand about this question is that it says
“The domain contains a server named Server1”
But then it shows that it is part of a workgroup
I know! Makes no sense at all. I still noticed that print screens in the exam do not have these kind of mistakes, both text and picture match the information
Correct Answer: D
Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member.
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.
Enterprise subordinate certification authority.
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the
enterprise.
These types of CAs are often used for load balancing of an enterprise root CA.