ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-742 All Questions

View all questions & answers for the 70-742 exam
Go to Exam

Exam 70-742 topic 1 question 222 discussion

Actual exam question from Microsoft's 70-742
Question #: 222
Topic #: 1
[All 70-742 Questions]

Your network contains an Active Directory forest named contoso.com. The forest contains several domains.
An administrator named Admin01 installs Windows Server 2016 on a server named Server1 and then joins Server1 to the contoso.com domain.
Admin01 plans to configure Server1 as an enterprise root certification authority (CA).
You need to ensure that Admin01 can configure Server1 as an enterprise CA. The solution must use the principle of least privilege.
To which group should you add Admin01?

  • A. Server Operators in the contoso.com domain
  • B. Cert Publishers on Server1
  • C. Enterprise Key Admins in the contoso.com domain
  • D. Enterprise Admins in the contoso.com domain.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
To install Active Directory Certificate Services, log on as a member of both the Enterprise Admins group and the root domain's Domain Admins group.
References:
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority
by coleman at Dec. 9, 2019, 12:39 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
coleman
Highly Voted 5 years, 6 months ago
right , answer D is correct. https://technet.microsoft.com/en-us/library/dn722303.aspx By default, to install a root or subordinate certification authority (CA), you must be a member of the Enterprise Admins group, or Domain Admins for the root domain (which is also usually a member of .Enterprise Admins group of the forest). This is already the least privilege to deploy an Enterprise CA, since the deployment process of Enterprise CA write extensive information to the AD forest, it is normal that the deployment process requires Enterprise Admins group membership to obtain necessary permissions for writing to areas (CN=Configuration partition) of the following AD forest. During the deployment process, the Enterprise CA writes information into forest CN=Configuration partition, into the CN=Public Key Services branch container. For the "CN=Public Key Services" container, only "Enterprise Admins" has Full Control permission in its "Security" setting, therefore, you have to add "Admin01" into "Enterprise Admins" group for deploying an Enterprise CA.
upvoted 11 times
...
Nhan
Highly Voted 5 years, 3 months ago
don't just being fooled by the stupid term "least privilege". Just answer the question with confidence and you will be rewarded :)
upvoted 10 times
STFN2019
4 years, 8 months ago
yes they make it trickier instead of straight to the point
upvoted 3 times
...
[Removed]
4 years, 7 months ago
To be fair, most often in these types of question they also add in domain admin even when a local admin account or servicedesk type account would do fine. A domain admin account is almost never the answer!
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel