CORRECTED (Previously B) Your network contains an Active Directory domain named contoso.com. The
domain contains a server named Server1 that runs Windows Server 2012 R2. The system properties of
Server1 are shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
What should you do first?
A.
Add RAM to the server.
B.
Set the Startup Type of the Certificate Propagation service to Automatic.
C.
Install the Certification Authority Web Enrollment role service.
D.
Join Server1 to the contoso.com domain.
Explanation:
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI.Enterprise subordinate certification authority
An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue
certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing
of an enterprise root CA.
Enterprise CAs can be used to issue certificates to support such services as digital signatures, Secure
Multipurpose Internet Mail Extensions (S/MIME) secure mail, Secure Sockets Layer (SSL) or Transport Layer
Security (TLS) secured web access and smart card authentication. Enterprise CAsare used to provide
certificate services to internal users who have user accounts in the domain.
Requiring Active Directory, an Enterprise subordinate CA obtains its certificate from an already existing CA.
These types of CAs are used to provide smart-card-enabled logons by Windows XP and other Windows
Server 2003 machines.
After a root certification authority (CA) has been installed, many organizations will install one or more
subordinate CAs to implement policy restrictions on the public key infrastructure (PKI) and to issue certificates
to end clients. Using at least one subordinate CA can help protect the root CA from unnecessary exposure.
If a subordinate CA will be used to issue certificates to users or computers with accounts in an Active Directory
domain, installing the subordinate CA as an enterprise CA allows you to use the client’s existing account data
in Active Directory Domain Services (AD DS) to issue and manage certificates and to publish certificates to AD
DS.
Membership in local Administrators, or equivalent, is the minimum required to complete this procedure. If this
will be an enterprise CA, membership in Domain Admins, or equivalent, is the minimum required to
complete this procedure.
