Which two actions should you perform?

Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)

A.
From Certificate Templates, modify the certificate template.

B.
From Certification Authority, add a certificate template to be issued.

C.
From Certificate Authority, modify the CA properties.

D.
From Certificate Templates, duplicate a certificate template.

E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS)
service.

Explanation:
First modify the certificate template in Certificate Templates, then add it in Certification
Authority.



Leave a Reply 55

Your email address will not be published. Required fields are marked *


Ricardo

Ricardo

No Sam. Check it out: http://technet.microsoft.com/en-us/library/cc771937.aspx

“Applies To: Windows Server 2008 R2
Before certificates can be issued by a certification authority (CA), the certificate template must be added to a CA.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
To add a certificate template to a CA
Open the Certification Authority snap-in, and double-click the name of the CA.
Right-click Certificate Templates, click New, and then click Certificate Template to Issue.
Select the certificate template, and click OK.”

Ricardo

Ricardo

Sorry Sam, u are right, forget my post.

digg3

digg3

Anyone else has some feedback on this one

Ashfaq Ahamed

Ashfaq Ahamed

I think answer should be “B” and “D”
D – Question says that automatically issued to the members.so you have to duplicate the certificate for enable Auto Enrol option

B – then you have to be issued for get the certificate

Karl

Karl

I would agree with Sam A and D. I have been taught that you should not modify the default certificate templates and duplicate as a best practice.

The section on “Creating a Custom Certificate Template” shows steps to create and states…

…”New certificate templates are created by copying an existing template and using the existing template’s properties as the default for the new template. Copy the existing certificate template closest to the configuration of the intended new template to minimize the work necessary.”

This is step 2 in the creation process. Step 4 is to make desired changes.

Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://technet.microsoft.com/en-us/library/cc700804.aspx

mostly

mostly

premium file A and B

Muhammed

Muhammed

I have a prem file and i just failed today ..
prem file have a wrong answers..

Thurston Howell

Thurston Howell

Muhammed – I’ve been reviewing the premium file and also noticed it has a LOT of incorrect answers.

BitterSysAdmin

BitterSysAdmin

HOLY FUCKING SHIT, WHAT A GOD DAMN SURPRISE!

alex

alex

NEVER take what those dump files say for granted,always double check and do some reading,it saved my ass on the 70-411 exam which i passed with a 960 due to me checking all the questions and finding all the wrong answers in the premium file,other guys in my course had to retake it just to pass with a 700 because they relied solely on the files.

Not Failed

Not Failed

The question ask for issus the certificate automaticly. Only when the Certificate is duplicated you have the possibility to autoenroll the certificate. So the first step is D.
Then you must activate autoenroll. So the certificate must be modified. Thats the second step. Answer A.
So I agree with Sam and Karl.

U

U

New premuim from eaxmcolltion are A+D. (27/12/14)
A.From Certificate Templates, modify the certificate template.
D.From Certificate Templates, duplicate a certificate template.

Liron

Liron

As Premium exam version 30:

A. From Certificate Templates, modify the certificate template.
B. From Certification Authority, add a certificate template to be issued.
C. From Certificate Authority, modify the CA properties.
D. From Certificate Templates, duplicate a certificate template.
E. From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Correct Answer: AD

Nuvin

Nuvin

https://technet.microsoft.com/en-gb/library/cc753370.aspx

The only way of creating a new certificate is by duplicating an existing certificate so I guess the answer is A and D

norton

norton

I agree with D and A

bgjbrok

bgjbrok

uuhh you are missing the point of certificates.
Certificates are no longer valid when they are copied (just like your MS certificate)
It is the template (who can get a certificate, for what purpose, and do they meet the requirements) that is copied.
IT is like the real world, just (black)boxed

Billy

Billy

I think there is some confusion on this question. It states the users in the group must be able to REQUEST the certificate, and that the cert is automatically issued. This implies Read and Enroll permission is necessary on the certificate, since they will request the certificate themselves, and with ‘Enroll’ permission, the CA will automatically issue them the certificate.
The question does not simply state that the certificate must be automatically issued to every user in the group, which is what the ‘Autoenroll’ permission would do.

With that, you would go into CA > Cert Templates > right-click and select Manage to get the Templates window. Right-click Code Signing certificate and select Properties. Go to Security, add Group1 to the list and specify the Read and Enroll permissions. Save that.

Once that is done, you go back to the CA window, right-click Cert Templates > New > Cert Template to be Issued and select the Code Signing certificate.

Sorry for the poor formatting.

Anat

Anat

It must be D because on the built-in template you don’t have “auto enroll” permission, only after duplication the “auto enroll” appears.

Shakir

Shakir

answer is A and D.

evoken

evoken

so they must be able to request the certificate and when they do request it, it installs automatically?

evoken

evoken

even so, Karls point makes in A / D anyway?

Stu

Stu

One thing that bothers me with this question is the fact that Code Signing certificates -even when duplicating and then modifying it – needs to be issued for it to be able to show/be enabled with the other Certificate templates (you only find the code signing certificate when right-clicking and selecting Manage, unless it has already been issued/enabled). Here you find all the templates available for your dc where you can duplicate/modify or just modify (but like others say best policy is to duplicate especially if you are going to have several. I wonder in this case if we are going to ignore that part) and after you are done modifying you have to issue it with these steps: Certification Authority > right-click Certification templates > select: New > Certificate template to issue. The steps that enables it.

So modify and issue, seems to be right. Then again duplicate template and modify could be partly right too. I wish there was three options here. But as it states: Each answer presents a part of the solution. And with only duplicating and modifying I don’t see how the members will be able to request the certificate if it isn’t issued (read: enabled).

Joe

Joe

B is surely right for definite, you have to issue a new template for people to be able to request a new certificate.
Then either A or D, depends whether it is enrol permissions or autoenrol permissions they need. If they need autoenrol you have to duplicate the template, but enrol permissions can be assigned to the existing template

Joe

Joe

Looking again I think it is A and B, doesn’t sound like users needs to autoenrol as it says they need to be able to request certificates so enrol would be enough.

David S

David S

It’s A & D.

David S

David S

Sorry. It’s B & D.

joe

joe

Now I think B and D, as Microsoft recommend to always duplicate a template rather than directly editing it.
And you have to add it as a new template to issue or nobody will be able to request it.

Akoachi

Akoachi

There might be no need to duplicate it, because it is not explicitly stated that we need auto-enrollment. If it said “enrolled automatically” I would consider it.

“You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.”
What it means (in my opinion) is that when a member from Group1 requests the certificate, it must be issued immediately, meaning without need for admin approval.
So considering that, we need only to change the template permissions (A) and add to issue (B).

qwe

qwe

It seems to me that you guys never did this before. When you duplicate a template, you automatically get to the “modify template” window. So: duplicate = duplicate + modify
Nan you get the rest of the math by yourselves, or do I need to spell it out? πŸ™‚

Lynn

Lynn

You means it should be B and D? We can duplicate , modify and get it be issued these 3 steps be completed in 2 options? Good point. But I don’t think the question want us to think in this way.

PK

PK

Forget this last post, wasn’t me. In my opinion it stays A and D.

Pavan Kumar

Pavan Kumar

The correct Answer is A & B. The code signing certificate is not available for issuing in the default installation of CA.

Therefore, to enable the users to enroll this certificate, you first need to modify the built in template “code signing” add the security group of the users and grant it read and enroll permissions.

Next, “From Certification Authority, add a certificate template to be issued” and select “Code Signing” Certificate.

Hope this clears the confusion here..

KungFury

KungFury

Always, always duplicate. D is a must
We have to modify. A is a must
B would be the next step after those two

Alexandre Ferreira

Alexandre Ferreira

Correct Answer: AD
The correct answers should be A and D: First duplicate it, then modify it
http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-applications-using-an-internal-pki.aspx The section on “Creating a
Custom Certificate Template” shows steps to create and states…
…”New certificate templates are created by copying an existing template and using the existing template’s properties as the default for the new template.
Copy the existing certificate template closest to the configuration of the intended new template to minimize the work necessary.” This is step 2 in the
creation process. Step 4 is to make desired changes.
Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://technet.microsoft.com/en-us/library/cc700804.aspx

MancaMulas

MancaMulas

Question says: β€œThe certificates must be issued automatically to the members.”, in my opinion this means you need to enable auto enroll on the template, and you can only do that by duplicating the template. You can then modify the template after you duplicated it, by enabling the auto enroll option on the security tab.

Since question asks for 2 steps, i would say B and D are the correct answers in this case.

B is absolutely needed for users to request the certificate and D for the reason i gave above.

If question asked for 3 steps, then i would also include A.

james

james

Agreed to MancaMulas. “modify ” is already included when u duplicate it so the next step would be add a certificate template to be issued

james

james

Its B and D

Martin

Martin

you only can autoenroll a certificate that has been duplicated. And to activate the autoenroll you must to modify the certificate template.

BitterSysAdmin

BitterSysAdmin

^ This guy fucks

sahing

sahing

Premium exam is corrected the answer, for premium A & D.

But for ROD_196Q exam file(which is corrected so many questions) it still A & B

im completly complicated! Anyone tried it on lab?

sahing

sahing

I just tried in my farm. Actually there is just one thing that making confuse people mind.

the actual word mean. “Dublicate” and “Modify”

I thing we all agree on answer D is the part of the solution. So while we are agree if we dublicate the cert temp we are not modifying anymore we are creating new from template. And what we are doing after dublicate it, thats not the modifying that just editing after dublicate.

IF, we edit which ceertificate is already exist, then we can say we are “modify” that.

I think that, Dublicate the template also includes modify it. Then question says it should be “issued automatically” so we have to approve our template to be issue.

Add the new template to the CA. Right click Certificate Templates > New > certificate template to issue > choose the template you just created

While dublicate this template, this is not mean that your certificate is ready to use! Without put in the issued certificates, It’s just a template..

I will go with A&B (dublicate and issue)

Jeff

Jeff

Answer is A and B

Make the code signing certificate template available on the enterprise CA server
In Administrative Tools, click Certification Authority.
In the console tree, expand CAName (where CAName is the name of your enterprise CA).
In the console tree, select the Certificate Templates container.
Right-click Certificate Templates, and then click New, Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the certificate template or templates that you want the CA to issue, and then click OK.
The newly selected certificate template or templates will appear in the details pane.
Request the code signing certificate
Click Start, click Run, type certmgr.msc, and then click OK.
In MMC, expand Certificates – Current User, and then expand Personal.
In the right pane, right-click and point to All tasks, and then click Request New Certificate.
On the Certificate Request Wizard, click Next until you reach the Certificate Template List
On the Certificate Template page, select the certificate template that you want the new certificate to be based on. In this scenario, select the Code signing template. Click Next.
Click Next/Enroll to send the certificate request to the CA and enroll the certificate
You should see a dialog box stating The certificate request was successful.
Sign the application
Configure the signing certificate as a trusted publisher in AD
Follow the steps outlined in this guide http://technet.microsoft.com/en-us/library/cc733026.aspx

https://social.technet.microsoft.com/Forums/windowsserver/en-US/3dd3472a-dac0-4016-980c-9c16a06dcc33/issue-certificate-from-ca-server?forum=winserversecurity (very helpful)
https://blogs.msdn.microsoft.com/emeamsgdev/2014/06/10/how-to-create-and-use-a-code-signing-certificate-for-clickonce-vsto-applications-using-active-directory-certificate-services/
https://technet.microsoft.com/en-us/library/cc770794%28=ws.10%29.aspx
https://technet.microsoft.com/en-gb/library/cc753370.aspx

Jeff

Jeff

Shit! sorry! It’s NOT A and D!

The answer is B and D!

I ran this in my lab.

I created 5 users. 3 for group1 and 2 seperate users
Created a test PC1

On the AD CS server, run certmgr.msc and right click certificate templates and click manage. Find code signing and right click it and click properties and go to security tab. THERE IS NO Auto enroll option. ONLY enroll option.

Auto enroll was only available when I duplicated the template

Now, right click Code Signing and click duplicate template. Under the security tab add the group1. click Auto enroll option. click apply and click ok.

close the certificate templates console. Right click Certificate templates, click new and click certificate template to issue. Choose code signing.

Logged on to PC1 (test PC) as 1 of the users not in group1
ran certmgr.msc. Go to personal folder and right click personal folder, select all tasks and request new certificate. The copy of code signing was not listed. I clicked show all templates and the copy of code signing was listed, but grayed out and shows “unavailable”.

I logged off user and logged on with user in group1. I repeated the steps above and the copy of code signing cert was now available.

Conclusion:
first you must duplicate a certificate template
then you must add a certificate template to be issued and select the new copy

technically, we are modifying the certificate, but not the certificate template as option “A” suggest.

Note to self…
I am SO…. glad I did a test lab on this. Had I relied on my above findings, I would have gotten this answer wrong. SO NOW…. i must go back and double check all my answers. There goes my night. no playing canasta for me tonight!

****DO NOT RELY ON THE DUMP ANSWERS!!! THIS ONE SAYS A AND B AND “A” IS INCORRECT AS YOU CAN SEE.****

sahing

sahing

There is multiple type of this question. As this version my anser is also (B & D) Below my comment i wrote that (Dublicate & issue)

luciano

luciano

I have a question. In the premium, it states that the answer is A & D, which BTW, are correct. In order to achieve what’s stated, it is necessary to first, duplicate the template, and then, modify it. But, without issuing the modifyed template, it became innocuous, since no certificate will be available.

So, the solution suggested is correct, A & D, but, it is incomplete, and it won’t work. And, choosing B & D also will be incomplete, because the duplicated template, by default, won’t have the auto-enroll. And thus, I really don’t know which incompleted solution I supposed to choose.

For this scenario, I guess that A & D is the least wrong.

toni

toni

You cannot modifiy a template without duplicate it. So, D is a necesary step. When you duplicate a template, you can modify it directly. It is not necesary to save it a then open it again to made modifications. So, we can undertand that A is included into D. I mean, when you duplicate the template you already modify it. And, of course, if you want to “ensure that the members of a group named Group1 can request code signing certificates”, you must add a certificate templete to be issued. So B is also a necesary step.
So, I think it is very clear, answer can only be D and B.
It is only my opinion!

toni

toni

Think that te only change you have to made is modify the autoenroll permission. You can do it just when duplicate the template.