Open Server Manager, click Add Roles, click Next,and click Active Directory Certificate Services

Click Next two times.

2. (...)

While this still may be true I left it at the original answer C ("Upgrade the member server to Windows Server 2008 R2 Enterprise"). Quite frankly, I'm not sure whether it's right or wrong. Hopefully someone can clear this up once and for all.

Some other notes and quotes I collected:

---MS Press Training Kit 70-640 - 2nd Edition page 781

"Enterprise CAs can run only on Windows Server 2008 R2 Enterprise edition or Windows Server 2008 R2 Datacenter edition."

Errata:

"This is not correct. You can use Windows 2008 R2 Standard edition, but you will not have access to all

features."

Note from the Author or Editor:

Yes indeed, you can use the Standard Edition to run an Enterprise CA with limited functionality. Our recommendation would be to use this as a root CA only.

---Reference:

http://technet.microsoft.com/en-us/library/cc725838.aspx Version 3 certificate templates

In addition to version 2 template features and autoenrollment, version 3 certificate templates provide support for Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify

cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.

Template availability

Windows Server 2008 R2, all editions

Windows Server 2008, Enterprise and Datacenter editions

--- http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/1a1172c6-abdb-4c5a-8a7c-ea254de5dada/

I am looking for some clarifaction on deploying a Windows Server 2008 R2 Standard CA and version 2 and version 3 certificates. I currently have a Windows Server 2008 Standard CA.

Server 2008 Standard can only issue certificates based on V1 certificate templates.

Server 2008 R2 Standard is allowed to issue certificate based on V1, V2, and V3 certificate templates Windows Server 2008 does not equal Windows Server 2008 R2

This ability was introduced with the Windows server 2008 R2 sku you will have one of two choices:

- Upgrade to Server 2008 Enterprise

- Upgrade/Migrate to Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise Brian Komar, thank you for the answer!

I have another question. In Training Kit (Exam 70-640) described: "Enterprice CAs can run only on Windows Server 2008 R2 Enterprise edition or Datacenter edition". Is it true? If yes, how we can issue certificate based on V3 certificate templates on Windows Server 2008 R2 Standard?

The training kit is incorrect. It probably was updated from Windows Server 2008 (or Windows Server 2003) where the statement was correct

Brian

QUESTION 34

Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password.

Which console should you use?

A. Active Directory Rights Management Services B. Active Directory Users and Computers C. Local Users and Groups

D. Services Correct Answer: A Section: (none)

Explanation

Explanation/Reference:

Reference:

http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-service-account-password.aspx

AD RMS How To: Change the RMS Service Account Password

The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.

It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly.

QUESTION 35

Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link.

Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.

What should you do?

A. Create a new secondary zone named ad.contoso.com on DC2.

B. Create a new stub zone named ad.contoso.com on DC2.

C. Configure the DNS server on DC2 to forward requests to DC1.

D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: D Section: (none) Explanation

Explanation/Reference:

Three answers don't make sense, leaving us with the one that works.

Create a new secondary zone named ad.contoso.com on DC2.

This would create a read-only zone, so it couldn't be updated Create a new stub zone named ad.contoso.com on DC2.

This stub zone would contain source information about authoritative name servers for its zone only, being DC1, but that one would be unavailable in the WAN link fails.

Configure the DNS server on DC2 to forward requests to DC1.

This doesn't help if the WAN link fails and DC1 is unavailable.

QUESTION 36

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates.

You need to archive the private key for all new EFS certificates.

Which snap-in should you use?

A. Active Directory Users and Computers B. Authorization Manager

C. Group Policy Management D. Enterprise PKI

Practically the same question as J/Q27.

Reference:

http://technet.microsoft.com/en-us/library/cc753826.aspx Configure a Certificate Template for Key Archival

The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template.

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.

To configure a certificate template for key archival and recovery 1. Open the Certificate Templates snap-in.

2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.

3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

4. In Template, type a new template display name, and then modify any other optional properties as needed.

5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.

6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box.