ive Directory Domain Services

　　What should you do?

　　A.

　　Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.

　　B.

　　Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.

　　C.

　　Purchase a certificate from a third-party certification authority. Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA.

　　D.

　　Purchase a certificate from a third-party certification authority. Import the certificate into the computer store of the schema master.

　　Answers: B

　　30: Single

　　Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008. You need to ensure users are able to enroll new certificates. What should you do?

　　A.

　　Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to theCertEnroll folder on the issuing CA.

　　B.

　　Renew the Certificate Revocation List (CRL) on the issuing CA. Copy the CRL to theSystemCertificates folder in the users profile.

　　C.

　　Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.

　　D.

　　Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations.

　　Answers: A

　　31: Multiple

　　Your company has a server that runs Windows Server 2008. Active Directory Certificate Services (AD CS) is configured as a stand-alone Certification Authority (CA) on the server. You need to audit changes to the CA configuration settings and the CA security settings. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

　　A.

　　Configure auditing in the Certification Authority snap-in.

　　B.

　　Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%\CertSrv directory.

　　C.

　　Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.

　　D.

　　Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server.

　　Answers: A D

　　32: Multiple

　　You have a Windows Server 2008 Enterprise Root certification authority (CA). You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates. You grant the Account Operators group the Issue and Manage Certificates permission on the CA. Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.)

　　A.

　　Enable the Restrict Enrollment Agents option on the CA.

　　B.

　　Enable the Restrict Certificate Managers option on the CA.

　　C.

　　Add the Basic EFS certificate template for the Account Operators group.

　　D.

　　Grant the Account Operators group the Manage CA permission on the CA.

　　E.

　　Remove all unnecessary certificate templates that are assigned to the Account Operators group.

　　Answers: B C E

　　33: Single

　　Your company has an Active Directory domain. All servers run Windows Server 2008. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA. The Enterprise Intermediate CA certificate expires. You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. What should you do?

　　A.

　　Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.

　　B.

　　Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.

　　C.

　　Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object.

　　D.

　　Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.

　　Answers: D

　　34: Single

　　Your network consists of an Active Directory forest named contoso.com. All servers run Windows

　　Server 2008. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition. You have a member server that contains a standard primary DNS zone for dev.contoso.com. You need to ensure that all domain controllers can resolve names for dev.contoso.com. What should you do?

　　A.

　　Create a NS record in the contoso.com zone.

　　B.

　　Create a delegation in the contoso.com zone.

　　C.

　　Create a standard secondary zone on a Global Catalog server.

　　D.

　　Modify the properties of the SOA record in the contoso.com zone.

　　Answers: B

　　35: Single

　　Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates. You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist. You need to configure the contoso.com zone to automatically remove expired records. What should you do?

　　A.

　　Enable only secure updates on the contoso.com zone.

　　B.

　　Enable scavenging and configure the refresh interval on the contoso.com zone.

　　C.

　　From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.

　　D.

　　From the Start of Authority tab, increase the default expiration interval on the contoso.com zone.

　　Answers: B

　　36: Single

　　Your network consists of an Active Directory forest that contains one domain. All domain

　　controllers run Windows Server 2008 and are configured as DNS servers. You have an Active Directory-integrated zone. You have two Active Directory sites. Each site contains five domain controllers. You add a new NS record to the zone. You need to ensure that all domain controllers immediately receive the new NS record. What should you do?

　　A.

　　From the DNS Manager console, reload the zone.

　　B.

　　From the Services snap-in, restart the DNS Server service.

　　C.

　　From the command prompt, run repadmin /syncall.

　　D.

　　From the DNS Manager console, increase the version number of the SOA record.

　　Answers: C

　　37: Single

　　You have a domain controller named DC1 that runs Windows Server 2008. DC1 is configured as a DNS server for contoso.com. You install the DNS Server server role on a member server named Server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone. You need to ensure that Server1 receives zone updates from DC1. What should you do?

　　A.

　　On Server1, add a conditional forwarder.

　　B.

　　On DC1, modify the permissions of contoso.com zone.

　　C.

　　On DC1, modify the zone transfer settings for the contoso.com zone.

　　D.

　　Add the Server1 computer account to the DNSUpdateProxy group.

　　Answers: C

　　38: Single

　　Your company has a main office and a branch office. The company has a single-domain Active

　　Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008. The branch office has a Windows Server 2008 read-only domain controller (RODC) named DC3. All domai

 << 上一頁  [11] [12] [13] 下一頁