Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. The system properties
of Server1 are shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
What should you do first?
A.
Add RAM to the server.
B.
Set the Startup Type of the Certificate Propagation service to Automatic.
C.
Install the Certification Authority Web Enrollment role service.
D.
Join Server1 to the contoso.com domain.
Explanation:
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.
Enterprise subordinate certification authority
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can
then issue certificates to all users and computers in the enterprise. These types of CAs are
often used for load balancing of an enterprise root CA.
Enterprise CAs can be used to issue certificates to support such services as digital
signatures, Secure Multipurpose Internet Mail Extensions (S/MIME) secure mail, Secure
Sockets Layer (SSL) or Transport Layer Security (TLS) secured web access and smart card
authentication. Enterprise CAsare used to provide certificate services to internal users who
have user accounts in the domain.Requiring Active Directory, an Enterprise subordinate CA obtains its certificate from an
already existing CA.
These types of CAs are used to provide smart-card-enabled logons by Windows XP and
other Windows Server 2003 machines.
After a root certification authority (CA) has been installed, many organizations will install one
or more subordinate CAs to implement policy restrictions on the public key infrastructure
(PKI) and to issue certificates to end clients. Using at least one subordinate CA can help
protect the root CA from unnecessary exposure. If a subordinate CA will be used to issue
certificates to users or computers with accounts in an Active Directory domain, installing the
subordinate CA as an enterprise CA allows you to use the client’s existing account data in
Active Directory Domain Services (AD DS) to issue and manage certificates and to publish
certificates to AD DS. Membership in local Administrators, or equivalent, is the minimum
required to complete this procedure. If this will be an enterprise CA, membership in Domain
Admins, or equivalent, is the minimum required to complete this procedure.
D. Join Server1 to the contoso.com domain.