Microsoft Identity with Windows Server 2016 Set 3

Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA) named CA1. You duplicate the Computer certificate template, and you name the template Cont_Computers. You need to ensure that all of the certificates issued based on Cont_Computers have a key size of 4,096 bits. What should you do?

You have an enterprise certification authority (CA). You create a global security group named Group1. You need to provide members of Group1 with the ability to issue and manage certificates. The solution must prevent the Group1 members from managing certificates requested by members of the Domain Admins group. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Your network contains an Active Directory forest named contoso.com. The forest contains an enterprise root certification authority (CA) on a server that runs Windows Server 2016. You plan to create and issue a custom subordinate CA template. You need to prevent subordinate CAs from issuing subordinate certificates. What should you configure in the template?

Your network contains an Active directory domain named contoso.com. The domain has an enterprise certification authority (CA). You duplicate the Basic EFS template, and you name the template Template1.You configure the CA to issue Template1. Users are configured to obtain a new certificate automatically when they sign in to a computer in the domain. You need to enable the users to automatically obtain a certificate based on Template1. What should you modify?

You have an offline root certification authority (CA) named CA1. CA1 is hosted on a virtual machine. You only turn on CA1 when the CA must be patched or you must generate a key for subordinate CAs. You start CA1, and you discover that the filesystem is corrupted. You resolve the filesystem corruption and discover that you must reload the CA root from a backup. When you attempt to run the Restore-CARoleService cmdlet, you receive the following error message: "The process cannot access the file because it is being used by another process." You need to ensure that you can restore the CA. What should you do first?

Your network contains an Active Directory domain named contoso.com. You deploy a standalone root certification authority (CA) named CA1. You need to autoenroll domain computers for certificates by using a custom certificate template. What should you do first?

Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise root certification authority (CA) on a server that runs Windows Server 2016. You need to configure the CA to support Online Certificate Status Protocol (OCSP) responders. Which two actions should you perform? Each correct selection presents part of the solution. NOTE: Each correct selection is worth one point.

You have a standalone root certification authority (CA). You have a new security policy requirements specifying that any changes to the CA configuration must be logged. You need to ensure that the CA meets the new security requirement. Which two actions should you perform? Each correct answer presents part of the solution.

Your network contains an Active Directory domain named contoso.com. The domain contains servers that run Windows Server 2016. The servers are configured as shown in the following table: You have a research department. The computers in the research department are not domain-joined. You need to ensure that the research department computers can use automatic certificate enrollment to receive and renew certificates from the CA. Which two role services should you install and configure on CA1? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

You have a certification authority (CA) named CA1. You create a certificate template named Template1 that has the following configurations:
Minimum key size: 2048
Cryptographic provider: Microsoft Strong Cryptographic Provider
Compatibility Settings-Certification Authority: Windows server 2012 R2
Compatibility Settings-Certificate recipient: Windows 8.1 /Windows Server 2012 R2
You plan to configure Template1 to require that computers requesting certificates based on Template1 must have a TPM-protected private key. You need to modify Template1 to ensure that you can configure the Key Attestation settings. What should you change?