Your company uses a Windows 2008 Enterprise certificate authority （CA） to issue certificates. You need to implement key archival. What should you do（）A、Archive the private key on the server.B、Apply the Hisecdc security template to the domain controllers.C

第1题：

Your company has an Active Directory domain. All servers run Windows Server 2008. You deploy a Certification Authority （CA） server. You create a new global security group named CertIssuers. You need to ensure that members of the CertIssuers group can issue， approve， and revoke certificates. What should you do（）

• A、Assign the Certificate Manager role to the CertIssuers group.
• B、Place CertIssuers group in the Certificate Publisher group
• C、Run the certsrv -add CertIssuers command promt of the certificate server
• D、Run the add -member-membertype memberset CertIssuers command by using Microsoft WindowsPowershell

第2题：

Your company has an Active Directory domain. AlI servers run Windows Server 2008. Your company uses an Enterprise Root certificate authority （CA）. You need to ensure that revoked certificate information is highly available. What should you do（）

• A、Implement an Online Certificate Status Protocol （OCSP） responder by using Network Load Balancing.
• B、Implement an Online Certificate Status Protocol （OCSP） responder by using an Internet Security and Acceleration Server array.
• C、Publish the trusted certificate authorities list to the domain by using a Group Policy Object （GPO）.
• D、Create a new Group Policy Object （GPO） that allows users to trust peer certificates. Link the GPO to the domain.

第3题：

Your company has an Active Directory domain. All servers run Windows Server 2008 R2.  Your  company uses an Enterprise Root certification authority （CA） and an Enterprise Intermediate CA.  The Enterprise Intermediate CA certificate expires.    You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. What should you do（）

• A、Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.
• B、Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA  server.
• C、Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers  group policy object.
• D、Import the new certificate into the Intermediate Certification Store in the Default Domain group policy  object.

第4题：

Your network contains a Web server named Server1 that runs Windows Server 2003 and Internet Information Server (IIS). Server1 has a server certificate from an Enterprise Certificate Authority (CA) installed. External users report that when they try to access the Web site from outside the corporate network by using a Web browser, they receive the following warning message: There is a problem with this Web sites security certificate. The security certificate presented by this Web site was not issued by a trusted certificate authority. You find that users onthe corporate network do not receive this error. You need to ensure that external users do not receive the warning message when connecting to Server1.   What should you do?（）

• A、In IIS Manager， enable the Enable client certificate mapping option.
• B、In IIS Manager， replace the certificate with a certificate obtained from a public Certification Authority.
• C、In Local Security Policy， enable Domain Member： Require strong （Windows 2000 or later） session key.
• D、In Local Security Policy， enable Domain Member： Digitally encrypt or sign secure channel data （always）.

第5题：

Your company has an Active Directory domain. All servers run Windows Server 2008 R2.  Your  company runs an Enterprise Root certification authority （CA）.   You need to ensure that only administrators can sign code. Which two task should you perform（）

• A、Publish the code signing template.
• B、Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and  allow only administrators to apply the policy.
• C、Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted  Publishers.
• D、Modify the security settings on the template to allow only administrators to request code signing  certificates.

第6题：

You are a network administrator for your company. The network consists of two Active Directory domains. You are responsible for administering one domain， which contains users who work in the sales department. User objects for the users in the sales department are stored in an organizational unit （OU） named Sales in your domain.   Users in the sales department use a public key infrastructure （PKI） enabled application that requires users to present client authentication certificates before they are granted access. You install Certificate Services on two member servers  running Windows Server 2003. You configure one server as an enterprise subordinate certification authority （CA） and the other server as a stand-alone root CA.   You need to issue certificates that support client authentication to sales users only. You need to achieve this goal by using the minimum amount of administrative effort.   What should you do？  （）

• A、 Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object （GPO） to autoenroll users for certificates.
• B、 Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Configure the Default Domain Policy Group Policy object （GPO） to autoenroll computers for certificates.
• C、 Create a duplicate of the User certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Create a new Group Policy object （GPO） and link it to the Sales OU. Configure the GPO to autoenroll sales users for certificates.
• D、 Create a duplicate of the Computer certificate template and configure it to support autoenrollment. Configure the enterprise subordinate CA to issue certificates based on the template. Create a new Group Policy object （GPO） and link it to the Sales OU. Configure the GPO to autoenroll sales client computers for certificates.

第7题：

You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement  a certification authority （CA） server that meets the following requirements：     - Allows the certification authority to automatically issue certificates  - Integrates with Active Directory Domain Services     What should you do（）

• A、Install and configure the Active Directory Certificate Services server role as a Standalone Root CA .
• B、Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA .
• C、Purchase a certificate from a third-party certification authority. Install and configure the Active Directory Certificate S
• D、Purchase a certificate from a third-party certification authority. Import the certificate into the computer store of the sc

第8题：

第9题：

第10题：

第11题：

You have an enterprise root certification authority （CA） that runs Windows Server 2008 R2.     You need to ensure that you can recover the private key of a certificate issued to a Web server.     What should you do（）

• A、From the ca， run the Get-PfxCertificate cmdlet.
• B、From the Web server， run the Get-PfxCertificate cmdlet.
• C、From the ca， run the certutil.exe tool and specify the -exportpfx parameter.
• D、From the Web server， run the certutil.exe tool and specify the -exportpfx parameter.

第12题：

You have an enterprise subordinate certification authority （CA） configured for key archival. Three key  recovery agent certificates are issued.   The CA is configured to use two recovery agents.   You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.   What should you do（）

• A、Add a data recovery agent to the Default Domain Policy.
• B、Modify the value in the Number of recovery agents to use box.
• C、Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
• D、Assign the Issue and Manage Certificates permission to users who have the key recovery agent  certificates.

第13题：

You have an enterprise subordinate certification authority （CA）.   You have a custom certificate template that has a key length of 1，024 bits. The template is enabled for  autoenrollment.   You increase the template key length to 2，048 bits.   You need to ensure that all current certificate holders automatically enroll for a certificate that uses the  new template.   Which console should you use（）

• A、Active Directory Administrative Center
• B、Certification Authority
• C、Certificate Templates
• D、Group Policy Management

第14题：

You have an enterprise subordinate certification authority （CA）. The CA issues smart card logon  certificates.     Users are required to log on to the domain by using a smart card. Your company’s corporate  security policy states that when an employee resigns， his ability to log on to the network must be  immediately revoked.     An employee resigns. You need to immediately prevent the employee from logging on to the  domain.     What should you do（）

• A、Revoke the employee’s smart card certificate.
• B、Disable the employee’s Active Directory account.
• C、Publish a new delta certificate revocation list （CRL）.
• D、Reset the password for the employee’s Active Directory account.

第15题：

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The network contains 100 servers and 5,000 client computers. The client computers run either Windows XP Service Pack 1 or Windows 7. You need to plan a VPN solution that meets the following requirements:   èStores VPN passwords as encrypted text  èSupports Suite B cryptographic algorithms èSupports automatic enrollment of certificates   èSupports client computers that are configured as members of a workgroup What should you include in your plan?（） 

• A、Upgrade the client computers to Windows XP Service Pack 3. Implement a stand-alone certification authority （CA）. Implement an IPsec VPN that uses certificate-based authentication.
• B、Upgrade the client computers to Windows XP Service Pack 3. Implement an enterprise certification authority （CA） that is based on Windows Server？2008 R2. Implement an IPsec VPN that uses Kerberos  authentication.
• C、Upgrade the client computers to Windows 7. Implement an enterprise certification authority （CA） that is  based on Windows Server 2008 R2. Implement an IPsec VPN that uses pre-shared keys.
• D、Upgrade the client computers to Windows 7. Implement an enterprise certification authority （CA） that is  based on Windows Server 2008 R2. Implement an IPsec VPN that uses certificate-based authentication.

第16题：

You are the network administrator for your company. The network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. All client computers run Windows XP Professional.   The company has legacy applications that run on UNIX servers. The legacy applications use the LDAP protocol to query Active Directory for employee information.  The domain controllers are currently configured with the default security settings. You need to configure enhanced security for the domain controllers. In particular， you want to configure stronger password settings， audit settings， and lockout settings. You want to minimize interference with the proper functioning of the legacy applications.   You decide to use the predefined security templates. You need to choose the appropriate predefined security template to apply to the domain controllers.  What should you do？（）

• A、 Apply the Setup security.inf template to the domain controllers.
• B、 Apply the DC security.inf template to the domain controllers.
• C、 Apply the Securedc.inf template to the domain controllers.
• D、 Apply the Rootsec.inf template to the domain controllers.

第17题：

You are the network administrator for your company. The network contains a single Active Directory domain. All computers on the network are members of the domain. All domain controllers run Windows Server 2003.   You are planning a public key infrastructure （PKI）. The PKI design documents for your company specify that certificates that users request to encrypt files must have a validity period of two years.   The validity period of a Basic EFS certificate is one year. In the Certificates Templates console， you attempt to change the validity period for the Basic EFS certificate template. However， the console does not allow you to change the value.  You need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files. What should you do？  （）

• A、 Install an enterprise certification authority （CA） in each domain.
• B、 Assign the Domain Admins group the Allow - Full Control permission for the Basic EFS certificate template.
• C、 Create a duplicate of the Basic EFS certificate template. Enable the new template for issuing certificate authorities.
• D、 Instruct users to connect to the certification authority （CA） Web enrollment pages to request a Basic EFS certificate.

第18题：

第19题：