Exam 70-742 topic 1 question 205 discussion

Correct Order of Actions is : 1) - From the Certificate Templates console, modify the security of a certificate template. 2) - From the Certification Authority console, add a certificate template to issue. 3) - From the Certificates console, request a certificate. 4) - From the Certification Authority console, add a Key Recovery Agent certificate.

the given answer is right. Because admin1 is in Domain Admins group, and the Domain Admins group is enabled in "security settings" of the "Certificate template"

Correct answer : 1) From the Certification Authority console, add a certificate template to issue. 2) From the Certification Authority console, add a Key Recovery Agent certificate. 3) From the Certificates Console, request a certificate. 4) From the Certification Authority console, issue a pending request. You do not need the modify the security because Admin1 is in 'Domain Admins'. Domain Admins already have the correct permissions.

I tested this lab. The right answer is: 1) From the Certification Authority console, add a certificate template to issue. 2) From the Certification Authority console, add a Key Recovery Agent certificate. 3) From the Certificates Console, request a certificate. 4) From the Certification Authority console, issue a pending request. My video of the case: https://drive.google.com/drive/folders/1NcYivqP_KBsltPpOcIY_kiN--8t38--r?usp=sharing Explanation: Here: https://drive.google.com/file/d/1w9-xnuix5bRmofaUL9il4Co_yD6glsLR/view?usp=sharing

The given answer is correct "A user named Admin1 is a member of the Domain Admins group. The solution must use Admin1 as a key recovery agent." When you enter security of a templete Domain Admins already have r/w and enroll rights so you dont need to change anything at security. You don`t need to add Admin1 directly, he`ll inherit this setting from Domain Admins group.

whats the correct answer for this one?

I am for another approach: The security of certificate doesn't need to change since Admin1 is member of Domain Admins. so in my opinion the correct order is : 1)From the Certification Authority console, add a certificate template to issue. (add recovery agent to issue) 2)From the Certificates console, request a certificate (request cert from Admin1) 3)From the Certifactes console, issue a pending request. ( issue the admin cert) 4) From the Certification Authority console, add a Key Recovery Agent certificate.

As per pluralsight course, the correct order should be 1) From the Certification Authority console, add a Key Recovery Agent certificate. This certificate is not available in certificate templates so you'll have to add it there. (best practice is to duplicate but the option is missing) 2) From the Certificate Templates console, modify the security of a certificate template 3) From the Certification Authority console, add a certificate template to issue 4) From the Certificates console, request a certificate

The given Answer seems correct "You need to ensure that you can archive keys on the CA" Keyword is "can" ... you don't need to do it now. so you need a Key-Recovery agent certificate ... before you cann issue it you need to enable the template ... step 1 asumes that you don't do any changes ... than you need to request ist ... issue the certificate on the ca ... finaly enable the Key recovery agent on CA Level

It even has the option "From the certificate templates console, modify the security of a certificate template" listed there