What else should you do?

You are a network administrator for your company. The network contains Windows Server 2003 computers and Windows XP Professional client computers. All computers are members of the same Active Directory forest. The company uses a public key infrastructure (PKI) enabled application to manage marketing data. Certificates used with this application are managed by the application administrators.

You install Certificate Services to create an offline stand-alone root certification authority (CA) on one Windows Server 2003 computer. You configure a second Windows Server 2003 computer as a stand-alone subordinate CA. You instruct users in the marketing department to enroll for certificates by using the Web enrollment tool on the stand-alone subordinate CA.

Some users report that when they attempt to complete the enrollment process, they receive an error message on their certificate, as shown in the exhibit.

Other users in the marketing department do not report receiving the error. You need to ensure that users in the marketing department do not continue to receive this error message.

You also need to ensure that only users in the marketing department trust certificates issued by this CA. You create a new organizational unit (OU) named Marketing.

What else should you do?

Exhibit:

You are a network administrator for your company. The network contains Windows Server 2003 computers and Windows XP Professional client computers. All computers are members of the same Active Directory forest. The company uses a public key infrastructure (PKI) enabled application to manage marketing data. Certificates used with this application are managed by the application administrators.

You install Certificate Services to create an offline stand-alone root certification authority (CA) on one Windows Server 2003 computer. You configure a second Windows Server 2003 computer as a stand-alone subordinate CA. You instruct users in the marketing department to enroll for certificates by using the Web enrollment tool on the stand-alone subordinate CA.

Some users report that when they attempt to complete the enrollment process, they receive an error message on their certificate, as shown in the exhibit.

Other users in the marketing department do not report receiving the error. You need to ensure that users in the marketing department do not continue to receive this error message.

You also need to ensure that only users in the marketing department trust certificates issued by this CA. You create a new organizational unit (OU) named Marketing.

What else should you do?

Exhibit:

A.
Place all marketing department computer objects in the Marketing OU. Create a new Group Policy object (GPO) and link it to the Marketing OU. In the Computer Configuration section of the GPO, configure a certificate trust list (CTL) that contains the subordinate CA’s certificate.

B.
Place all marketing department computer objects in the Marketing OU. Create a new Group Policy object (GPO) and link it to the Marketing OU. Publish the root CA’s root certificate in the Trusted Root Certification Authorities section of the GPO.

C.
Place all marketing department user objects in the Marketing OU. Create a new Group Policy object (GPO) and link it to the Marketing OU. In the User Configuration section of the GPO, configure a certificate trust list (CTL) that contains the subordinate CA’s certificate.

D.
Place all marketing department user objects in the Marketing OU. Create a new Group Policy object (GPO) and link it to the Marketing OU. In the User Configuration section of the GPO, configure a certificate trust list (CTL) that contains the root CA’s certificate.

Explanation:
We need to configure the Marketing department users to trust the root CA. We can do this using a group policy object (GPO). We should place the marketing department user objects in the Marketing OU and apply the GPO to the OU.
A certificate trust list (CTL) is a signed list of root certification authority certificates that an administrator considers reputable for designated purposes. For the client to trust the certificate, it needs to install a copy of the certificate as a trusted root certificate in its own certificate store.

Reference:

Dan Holme, Orin Thomas; MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296, Microsoft Press, Redmond, Washington, 2004, pp. G-10.



Leave a Reply 0

Your email address will not be published. Required fields are marked *