| Question 1 | Your organization consists of a single Windows 2000 domain. You have been asked to implement Certificate Services within the existing network infrastructure. Certificate Services must integrate with Active Directory. Which of the following should you implement? |
| A1: | Answer A is correct. If the Certificate Authority is required to integrate with Active Directory, an Enterprise CA must be configured. Because there is no other CA installed, an Enterprise Root CA must be configured. Answer B is incorrect. To install an Enterprise Subordinate CA, a root CA must be available. However, if a commercial CA was configured as the parent CA, this option would be possible. Answers C and D are incorrect because Standalone CAs do not use Active Directory. |
| Question 2 | Your network currently consists of an enterprise CA. There is a Web server on the internal network that provides services to external business partners . You want to expand the current setup to provide Certificate Services to these users. Which of the following should you implement? |
| A2: | Answer D is correct. Standalone CAs should be implemented when certificates are being issued to users outside of the organization. In this case, Internet users are assured of the Web server's identity, so a standalone subordinate CA should be configured with a commercial CA as the parent. Therefore, answer C is incorrect. Answers A and B are incorrect because Enterprise CAs are used to issue certificates to users within an organization. |
| Question 3 | You have been asked to implement Certificate Services on the network. How can you install the service on a Windows 2000 server? -
A. Network and Dial-up Connections applet -
B. Add/Remove Programs applet -
C. Certificate Services applet -
D. Administrative Tools applet |
| A3: | Answer B is correct. Certificate Services can be installed using the Add/Remove Programs applet within the Control Panel. Therefore, answers A, C, and D are incorrect. |
| Question 4 | Your organization is implementing Certificate Services. You have been asked to outline the process involved in installing and configuring the service. In your proposal, you outline the requirements of an Enterprise CA. Which of the following should be included in the list of requirements? |
| A4: | Answer B is correct. One of the requirements of an enterprise CA is that an Active Directory domain controller be available. Enterprise CAs use Active Directory to verify the identity of users and computers and store configuration data. Answer A is incorrect. Although Certificate Services can only be installed on one of the Windows 2000 server platforms, it does not require Windows 2000 Advanced Server. Answer C is incorrect because Internet Information Services is not required to install an Enterprise CA. (If you want to use Web-based enrollment, IIS needs to be installed.) Answer D is incorrect because Enterprise CAs require DNS not WINS. |
| Question 5 | Due to reorganization within the company, three employees have been terminated . You revoke the certificates of the three users. When you check the CRL, the certificates are not listed. What is the problem? -
A. Revoked certificates must be manually added to the CRL. -
B. Revoked certificates are not placed on the CRL. -
C. The pending revocation interval has not yet expired . -
D. The publishing interval has not yet expired. |
| A5: | Answer D is correct. By default, after a certificate is revoked it will appear on the CRL after the publishing interval expires . The default publishing interval is once a week. Answers A and B are incorrect because all revoked certificates are automatically added to the CRL. Answer C is incorrect because there is no such thing as the pending revocation interval. |
| Question 6 | Your network consists of two domains. A certificate hierarchy is already in place. SRVCA1 is the Enterprise CA. SRVCA2 and SRVCA3 are both configured as Enterprise Subordinate CAs. Due to expansion, a third domain is added to the forest. However, SRVCA2 and SRVCA3 are unable to publish any certificates for users in the new domain. How would you fix this problem? -
A. Add the Enterprise Subordinates to the Enterprise Admins group -
B. Add the Enterprise Subordinates to the Cert Publishers group -
C. Add the Enterprise Subordinates to the Domain Admins group -
D. Add the Enterprise CA to the Enterprise Admins group |
| A6: | Answer B is correct. For the subordinate CAs to publish certificates, they must be added to the Cert Publishers group in the new domain. Therefore, answers A, C, and D are incorrect. |
| Question 7 | Which of the following is required to implement an Enterprise CA? -
A. All users must have accounts within Active Directory. -
B. There are no Active Directory requirements. -
C. All computers must have accounts within Active Directory. -
D. All user and computers must have accounts within Active Directory. |
| A7: | Answer D is correct. An Enterprise CA uses Active Directory to verify the identity of users and computers so all users and computers must have an account within Active Directory. Therefore, answers A, B, and C are incorrect. |
| Question 8 | There are a number of Macintosh clients on your Windows 2000 network. They don't use Internet Explorer as their browser. Users report that they are unable to request certificates using the Web-based enrollment. How should you proceed? -
A. Give the Macintosh clients permission to the appropriate certificate templates. -
B. Upgrade their browsers to Internet Explorer. -
C. Within IIS, configure Basic Authentication to the CertSrv virtual directory. -
D. Install the Certificate Services client on the workstations. |
| A8: | Answer C is correct. To allow Macintosh clients to use Web-based certificate enrollment, the authentication method on the virtual directory must be set to basic. Therefore, answers A, B, and D are incorrect. |
| Question 9 | Your company's Windows 2000 Web server is hosted on the Internet. The Web developers in the company often develop applications for external clients that download ActiveX controls to the clients' browser. However, with the default settings in Internet Explorer, clients are unable to automatically download the ActiveX controls. How can the problem be fixed? -
A. Install an Enterprise CA. Create a new policy setting that allows Web developers to request code signing certificates. -
B. Install an Enterprise Subordinate CA with a commercial CA as the parent. Configure a new policy setting that allows Web developers to request code signing certificates. -
C. Install an Enterprise Subordinate CA with an internal CA as the parent. Configure a new policy setting that allows developers to request code signing certificates. -
D. Install an Enterprise CA. Configure a commercial CA as the parent. Configure a new policy setting that allows developers to request code signing certificates. |
| A9: | Answer B is correct. Because certificates are being assigned to internal users, and Enterprise CA is configured. To assure customers of the Web server's identity, the parent of the Subordinate Enterprise CA should be a commercial CA. |
| Question 10 | Your company has a Web server that is used by customers. It is currently not a member of the company's domain nor will it be. The Web server is now going to be used for customer transactions. For utmost security, the transactions should be encrypted and customers should be assured of the Web server's identity. What type of CA should you configure? |
| A10: | Answer D is correct. Because certificates aren't being assigned to users within the organization, a standalone CA should be used. To assure customers of the Web server's identity, a Standalone Subordinate CA should be configured and assigned a certificate from a commercial CA. Therefore, answers A, B, and C are incorrect. |
