You are an Active Directory administrator for Contoso, Ltd. You have a properly configured
certification authority (CA) in the contoso.com Active Directory Domain Services (AD DS) domain.
Contoso employees authenticate to the VPN by using a user certificate issued by the CA.
Contoso acquires a company named Litware, Inc., and establishes a forest trust between
contoso.com and litwareinc.com. No CA currently exists in the litwareinc.com AD DS domain. Litware
employees do not have user accounts in contoso.com and will continue to use their litwareinc.com
user accounts.
Litware employees must be able to access Contoso’s VPN and must authenticate by using a user
certificate that is issued by Contoso’s CA.
You need to configure cross-forest certificate enrollment for Litware users.
Which two actions should you perform? Each correct answer presents part of the solution.
A.
Grant the litwareinc.com AD DS Domain Computers group permissions to enroll for the VPN
template on the Contoso CA.
B.
Copy the VPN certificate template from contoso.com to litwareinc.com.
C.
Add Contoso’s root CA certificate as a trusted root certificate to the Trusted Root Certification
Authority in litware.com.
D.
Configure clients in litwareinc.com to use a Certificate Policy server URI that contains the location
of Contoso’s CA.
(A) can not be a correct answer. It grants Computers access to certificates when the users should be given access.
I believe answers are C & D
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Forest_Consolidation
I agree with OSA
8. Publish the root CA certificate from the resource forest to the account forests
https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd851419.aspx
C & D were my first answers when I read the question. I agree with OSA.
C cannot be correct because Litware does not have a CA.
How are you supposed to add the Contoso Root cert to the Litware root CA server then ???!!
You would need to deploy a root CA for Litware first which is not part of the answers.
From : https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx
Domain member computers and users in account forests must have Allow authenticate permissions to the enterprise CAs in the resource forest.
I think AD
I believe the answer C might not be correctly formatted ; Trusted Root Certification
Authority should be Trusted Root Certification Authority STORE. This is the local store of certificates and not the CA server role. The Contoso CA Root certificate can be stored e.g. on a webserver in the Litware forest.
You can use Certificate Enrollment Web Services to deploy certificates accross forest without having a CA in the trusted user domain.
CD could then be correct.
The article below also mentions that not only the user but also the computer account needs permissions in case a computer certificate is used. But, a USER certificate is used in this case.
Check Permissions
Permissions required to obtain policy from the policy web service:
Authenticating user must have read and enroll on a template in order for that template to be retrieved as part of the policy.
For machine certificates, in addition to the authenticating user having read and enroll on the template, the machine must have read and enroll as well. If the requesting machine does not have enroll, the user performing the enrollment or renewal will be able to see the policy but will fail upon the enrollment or renewal request.
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx