Upgrading Your Skills to MCSA Windows Server 2012 — Question 44

You are an Active Directory administrator for Contoso, Ltd.
You have a properly configured certification authority (CA) in the contoso.com Active Directory Domain Services (AD DS) domain. Contoso employees authenticate to the VPN by using a user certificate issued by the CA.
Contoso acquires a company named Litware, Inc., and establishes a forest trust between contoso.com and litwareinc.com. No CA currently exists in the litwareinc.com AD DS domain.
Litware employees do not have user accounts in contoso.com and will continue to use their litwareinc.com user accounts. Litware employees must be able to access Contoso's VPN and must authenticate by using a user certificate that is issued by Contoso's CA.
You need to configure cross-forest certificate enrollment for Litware users.
Which two actions should you perform? Each correct answer presents part of the solution.

Answer options

• A. Grant the litwareinc.com AD DS Domain Computers group permissions to enroll for the VPN template on the Contoso CA.
• B. Copy the VPN certificate template from contoso.com to litwareinc.com.
• C. Add Contoso's root CA certificate as a trusted root certificate to the Trusted Root Certification Authority in litware.com.
• D. Configure clients in litwareinc.com to use a Certificate Policy server URI that contains the location of Contoso's CA.

Correct answer: C, D

Explanation

The correct answers, C and D, are essential for enabling Litware users to authenticate using certificates from Contoso's CA. Adding Contoso's root CA certificate as a trusted root allows Litware's systems to recognize and trust the certificates issued by Contoso. Configuring clients to use the Certificate Policy server URI ensures they can request and obtain the appropriate certificates. Options A and B are incorrect because they do not address the requirement for trust and certificate issuance across the forests.