Your network contains an Active Directory forest named contoso.com. The forest contains several domains.
An administrator named Admin01 installs Windows Server 2016 on a server named Server1 and then joins Server1 to the contoso.com domain.
Admin01 plans to configure Server1 as an enterprise root certification authority (CA).
You need to ensure that Admin01 can configure Server1 as an enterprise CA. The solution must use the principle of least privilege.
To which group should you add Admin01?
A. Server Operators in the contoso.com domain
B. Cert Publishers on Server1
C. Enterprise Key Admins in the contoso.com domain
D. Enterprise Admins in the contoso.com domain.
126right , given answer D is correct.
https://technet.microsoft.com/en-us/library/dn722303.aspx
By default, to install a root or subordinate certification authority (CA), you must be a member of the Enterprise Admins group, or Domain Admins for the root domain (which is also usually a member of .Enterprise Admins group of the forest).
This is already the least privilege to deploy an Enterprise CA, since the deployment process of Enterprise CA write extensive information to the AD forest, it is normal that the deployment process requires Enterprise Admins group membership to obtain necessary permissions for writing to areas (CN=Configuration
partition) of the following AD forest.
During the deployment process, the Enterprise CA writes information into forest CN=Configuration partition, into the CN=Public Key Services branch container.
For the “CN=Public Key Services” container, only “Enterprise Admins” has Full Control permission in its “Security” setting, therefore, you have to add “Admin01” into
“Enterprise Admins” group for deploying an Enterprise CA.