Open Active Directory Sites and Services

2. In the console tree, expand Sites and the site in which the server object resides.

3. Expand Servers to display the domain controllers that are currently configured for that site.

4. Right-click the server object that you want to move, and then click Move.

5. In Site Name, click the destination site, and then click OK.

6. Expand the site object to which you moved the server, and then expand the Servers container.

7. Verify that an object for the server that you moved exists.

8. Expand the server object, and verify that an NTDS Settings object exists.

Reference2:

http://technet.microsoft.com/en-us/library/cc754697.aspx Using sites

Sites help facilitate several activities, including:

(...)

Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections.

QUESTION 21

Your network contains an Active Directory domain named contoso.com.

Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.)

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable.

You need to configure Server2 as an enterprise subordinate CA.

What should you do first?

A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.

B. Log in as an administrator and run Server Manager.

C. Import the root CA certificate.

D. Join Server2 to the domain.

Correct Answer: D Section: (none) Explanation

Explanation/Reference:

In doubt about this one, whether to go for A ("Upgrade Server2 to Windows Server 2008 R2 Enterprise"), or D ("Join Server2 to the domain"). Left it at D ("Join Server2 to the domain"), because that's undoubtedly a necessary step we have to take here.

See below for my (messy) thoughts.

Reference:

http://social.technet.microsoft.com/Forums/nl-BE/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7c-ea254de5dada

[Someone asked this question to Brian Komar:]

<begin quote>

buffaloyoung

Okay, so on this same note, I'm looking at a practice test type question for the 70-640 exam that shows the server runnning Windows Server 2008 R2 standard, and mentions that when you set up the Enterprise Sub Certificate Authority, the Enterprise Sub CA option is not available. The mulitple choice solutions are:

a. upgrade to enterprise;

b. run server manager as an admin;

c. import the root CA;

d. Join the server to the domain.

I had thought it was "A" because of the enterprise 2008 issue, but if this is changed in standard R2 ... looking at the fact that the info shows the Workgroup to be "WORKGROUP," I am inclined to answer D. Is this right? Or should it still be A?

Brian:

This forum is for helping people with real world PKI and security issues. It is not a study board <G>

That being said, D would be my answer. Based on some of the other things I have heard about the exam, that may not be the answer they are looking for ;-)

Brian

<end quote>

"that may not be the answer they are looking for", what does Brian mean by that? Was he deliberately trying to confuse buffaloyoung, or was he hinting at Microsoft advising to use Windows Server 2008 R2 Standard for root CA only? I'm talking about this, from the 70-640 Training Kit errata page:

Page 781, 1st paragraph

<begin quote>

The book states: Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition. This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all features.

Note from the Author or Editor:

Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only.

<end quote>

If that would be the case, then an upgrade to Windows Server 2008 R2 Enterprise might be what Microsoft wants to hear from us, being answer A. Since the question is about an enterprise subordinate CA.

QUESTION 22

Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.

Which tool should you use to assign permissions to Admin1?

A. the Certification Authority console B. Active Directory Users and Computers

C. the Certificates snap-in

D. Active Directory Sites and Services Correct Answer: D

Section: (none) Explanation

Explanation/Reference:

We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups.

The first reference lists what needs to be done, the second reference explains how to do it.

Reference 1:

http://technet.microsoft.com/en-us/library/cc725621.aspx Delegating Template Management

You can delegate the ability to manage individual certificate templates or to create any certificate templates by defining appropriate permissions to global groups or universal groups that a user belongs to.

There are three levels of delegation for certificate template administration:

- Modify existing templates

- Create new templates (by duplicating existing templates)

- Full delegation (including modifying all existing templates and creating new ones) Create New Templates

To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS.

To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of which the user is a member:

Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot.

Grant Full Control permission to every certificate template in the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not inherited by the individual certificate templates.

Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services, CN=Services,CN=Configuration,DC=ForestRoot container.

Reference 2:

Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008) page 298

Delegate Permissions for Creation of New Templates

You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,

ForestRootDomain container.

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.