Identity with Windows Server 2016 — Question 131
Your network contains an Active Directory forest named contoso.com. The forest contains several domains.
An administrator named Admin01 installs Windows Server 2016 on a server named Server1 and then joins Server1 to the contoso.com domain.
Admin01 plans to configure Server1 as an enterprise root certification authority (CA).
You need to ensure that Admin01 can configure Server1 as an enterprise CA. The solution must use the principle of least privilege.
To which group should you add Admin01?
Answer options
- A. Server Operators in the contoso.com domain
- B. Cert Publishers on Server1
- C. Enterprise Key Admins in the contoso.com domain
- D. Enterprise Admins in the contoso.com domain.
Correct answer: D
Explanation
The correct answer is D, as the Enterprise Admins group has the necessary permissions to configure a CA. Other options do not provide the required level of access for CA configuration; for example, Server Operators (A) manage server operations but lack CA permissions, while Cert Publishers (B) only handle certificate publishing, and Enterprise Key Admins (C) manage key operations but do not have CA configuration rights.