Objective 4.4: Questions

 < Day Day Up > 



1. 

Which of the following restrictions apply to the installation of an enterprise root CA? (Select all that apply.)

  1. Must be installed in the root domain of a forest.

  2. Must be installed on a domain controller.

  3. Requires that a certificate be obtained from a commercial CA.

  4. Requires that Active Directory be present.

  5. The server running the enterprise root CA cannot change its name or domain membership.

  6. Should not be installed on any node in a server cluster.

 correct answers: d, e, and f a. incorrect an enterprise root ca must be installed by a user with enterprise administrator privileges. this does not, however, restrict an enterprise root ca from being installed in a child domain within a forest. b. incorrect an enterprise root ca can be installed on a member server. an enterprise root ca cannot be installed on a standalone server because there would be no access to active directory. c. incorrect an enterprise root ca generates its own root certificate. it does not require a root certificate from another organization, such as a commercial ca. d. correct an enterprise root ca requires that active directory be present. e. correct when an enterprise root ca is installed, the computer name and domain membership cannot be changed because this information is bound to active directory. changing the name would invalidate the certificates issued by the ca. f. correct microsoft recommends against installing certificate services on any node in a server cluster because this will prevent the service from running correctly.

2. 

Rooslan is the systems administrator for the local university’s department of arts. The department has an Active Directory forest that has a child domain for each department. The department of arts forest has a forest trust relationship with the university administration’s Active Directory forest. The root domain of the university administration’s forest has an enterprise root CA and two enterprise subordinate CAs. The science department wants Rooslan to install a CA that is integrated with Active Directory so that certificates can be issued automatically. In this situation, which of the following statements is true?

  1. Rooslan can install an enterprise subordinate CA on a member server in the science domain by using the forest trust relationship with the administration’s forest to obtain a certificate from the administration enterprise root CA.

  2. Rooslan can install an enterprise subordinate CA on a member server in the science domain by using the forest trust relationship with the administration’s forest to obtain a certificate from the administration enterprise subordinate CA.

  3. Rooslan can install an enterprise root CA in the science department’s child domain.

  4. Rooslan can install a standalone root CA on a standalone server located on the same subnet as the science child domain.

  5. Rooslan can install a standalone root CA on a member server in the science child domain.

 correct answers: c a. incorrect a forest trust relationship will not allow a certificate to be automatically issued to a subordinate ca in a separate forest. the trust relationship between domains in the same forest will allow an enterprise root ca to issue a certificate to an enterprise subordinate ca located in a child domain. b. incorrect a forest trust relationship will not allow a certificate to be automatically issued to a subordinate ca in a separate forest. c. correct enterprise root cas can be installed in child domains and in root domains. you can have an enterprise root ca in a child domain and have a subordinate and issuing ca in the root domain of a forest. d. incorrect a standalone root ca installed on a standalone server will not integrate with active directory. e. incorrect a standalone root ca installed on a member server will not automatically issue certificates based on information located in active directory.

3. 

You are the certificate administrator for the proseware.com forest. The proseware.com forest has a forest trust configured with the adatum.com forest. The certificate administrator of the adatum.com forest wants to set up an enterprise subordinate CA based on a certificate issued by the enterprise root CA in the proseware.com forest. The adatum.com certificate administrator has given you a disk containing a certificate request file named subca.adatum.com.req.

Which of the following methods do you need to use to provide the certificate administrator of the adatum.com forest with a certificate that the administrator can use for his or her enterprise subordinate CA?

  1. Run the Certificate Approval Wizard, and select the subca.adatum.com.req file on the disk. Store the approved certificate on the disk.

  2. The certificate request file is unnecessary because a forest trust relationship exists between the proseware.com forest and the adatum.com forest.

  3. On the enterprise root CA, right-click the server, select All Tasks, and then select Submit New Request. Load the subca.adatum.com.req file. Save the approved certificate back to the disk.

  4. Insert the disk into the drive on the enterprise root CA. In Windows Explorer, right-click the certificate and then select Approve.

 correct answers: c a. incorrect there is no certificate approval wizard. b. incorrect although you can request a certificate from an enterprise root ca in a trusted forest when you are setting up an enterprise subordinate ca, this request will automatically be denied by the policy module on the enterprise root ca. if a certificate is issued, it must be issued manually. c. correct although it might seem counter-intuitive to use submit new request to approve a request, this is the method by which request files can be approved as certificates. this certificate can now be imported into the enterprise subordinate ca, though during the process the enterprise root ca from the other forest must be explicitly trusted. d. incorrect this method cannot be used to approve a certificate.

4. 

Which of the following methods can you use to back up a CA’s private key, CA certificate, certificate database, and certificate database log? (Select all that apply.)

  1. In the Certificate Authority MMC, right-click the CA and, on the All Tasks menu, click Back Up CA. When the wizard runs, ensure that the Private Key and CA Certificate check boxes, in addition to the Certificate Database and Certificate Database Log check boxes, are selected. When prompted, enter a backup password.

  2. Run the certutil –backup backupdirectory command from the command line, and enter the backup password when prompted.

  3. Copy the contents of the C:\%systemroot%\system32\certsrv and certlog directories to a network share.

  4. In the Certificate Authority MMC, right-click the CA and then click Export List.

 correct answers: a and b a. correct this is one method that can be used to back up the ca s private key, ca certificate, certificate database, and certificate database log. b. correct this method will also work. it can also be scripted to occur at regular intervals. c. incorrect this will not correctly back up the private key, ca certificate, certificate database, and certificate database log. d. incorrect this will not correctly back up the private key, ca certificate, certificate database, and certificate database log.

5. 

You are the systems administrator of the contoso.internal domain. You have just installed an enterprise root CA on a member server running Windows Server 2003. You want to enable key recovery by means of an account you’ve created with the UPN keymaster@contoso.internal. Which of the following steps will you need to take to allow this to occur? (Select all that apply.)

  1. Use the Run As command to run an MMC with the UPN keymaster@contoso.internal. Add the Certificates snap-in with the focus on the current user. From the Personal node, run the Certificate Request Wizard and request a Key Recovery Agent certificate.

  2. Use the Run As command to run an MMC with the UPN keymaster@contoso.internal. Add the Certificates snap-in with the focus on the current user. From the Personal node, run the Certificate Request Wizard and request an Administrator certificate.

  3. In the Certification Authority MMC, right-click the Certificate Templates node and then select New Certificate Template To Issue. Select the EFS Recovery Agent certificate template.

  4. Edit the properties of the Key Recovery Agent certificate template in the Certificate Templates MMC. On the Security tab, add the keymaster@contoso.internal account, and ensure that it has the Read and Enroll permissions. On the Issuance Requirements tab, clear the CA Certificate Manager Approval check box.

  5. In the Certification Authority MMC, right-click the Certificate Templates node and then select New Certificate Template To Issue. Select the Key Recovery Agent certificate template.

  6. In the Certification Authority MMC, right-click the CA. Click the Recovery Agents tab. Click Archive The Key, leaving the number of recovery agents to use as 1. Click Add, and then select the keymaster@contoso.internal account. Install the certificate. Click OK and allow Certificate Services to restart.

 correct answers: a, d, e, and f a. correct this will force the enterprise root ca to issue a key recovery agent certificate to the keymaster@contoso.internal account. b. incorrect this step is not required. the keymaster@contoso.internal account requires a key recovery agent certificate rather than an administrator certificate. c. incorrect by default, windows server 2003 cas are already able to issue efs recovery agent certificates. an efs recovery agent certificate cannot be used as a key recovery agent on a windows server 2003 enterprise root ca. d. correct this allows the keymaster@contoso.internal account to request and enroll itself in this particular type of certificate without the intervention of the ca certificate manager. e. correct this allows key recovery agent certificates to be issued by the enterprise root ca. f. correct this is the final step in setting up a recovery agent: selecting an account that has the correct key recovery agent certificate installed, installing that certificate, and then restarting certificate services.

Answers

1. 

Correct Answers: D, E, and F

  1. Incorrect An enterprise root CA must be installed by a user with enterprise administrator privileges. This does not, however, restrict an enterprise root CA from being installed in a child domain within a forest.

  2. Incorrect An enterprise root CA can be installed on a member server. An enterprise root CA cannot be installed on a standalone server because there would be no access to Active Directory.

  3. Incorrect An enterprise root CA generates its own root certificate. It does not require a root certificate from another organization, such as a commercial CA.

  4. Correct An enterprise root CA requires that Active Directory be present.

  5. Correct When an enterprise root CA is installed, the computer name and domain membership cannot be changed because this information is bound to Active Directory. Changing the name would invalidate the certificates issued by the CA.

  6. Correct Microsoft recommends against installing Certificate Services on any node in a server cluster because this will prevent the service from running correctly.

2. 

Correct Answers: C

  1. Incorrect A forest trust relationship will not allow a certificate to be automatically issued to a subordinate CA in a separate forest. The trust relationship between domains in the same forest will allow an enterprise root CA to issue a certificate to an enterprise subordinate CA located in a child domain.

  2. Incorrect A forest trust relationship will not allow a certificate to be automatically issued to a subordinate CA in a separate forest.

  3. Correct Enterprise root CAs can be installed in child domains and in root domains. You can have an enterprise root CA in a child domain and have a subordinate and issuing CA in the root domain of a forest.

  4. Incorrect A standalone root CA installed on a standalone server will not integrate with Active Directory.

  5. Incorrect A standalone root CA installed on a member server will not automatically issue certificates based on information located in Active Directory.

3. 

Correct Answers: C

  1. Incorrect There is no Certificate Approval Wizard.

  2. Incorrect Although you can request a certificate from an enterprise root CA in a trusted forest when you are setting up an enterprise subordinate CA, this request will automatically be denied by the policy module on the enterprise root CA. If a certificate is issued, it must be issued manually.

  3. Correct Although it might seem counter-intuitive to use Submit New Request to approve a request, this is the method by which request files can be approved as certificates. This certificate can now be imported into the enterprise subordinate CA, though during the process the enterprise root CA from the other forest must be explicitly trusted.

  4. Incorrect This method cannot be used to approve a certificate.

4. 

Correct Answers: A and B

  1. Correct This is one method that can be used to back up the CA’s private key, CA certificate, certificate database, and certificate database log.

  2. Correct This method will also work. It can also be scripted to occur at regular intervals.

  3. Incorrect This will not correctly back up the private key, CA certificate, certificate database, and certificate database log.

  4. Incorrect This will not correctly back up the private key, CA certificate, certificate database, and certificate database log.

5. 

Correct Answers: A, D, E, and F

  1. Correct This will force the enterprise root CA to issue a Key Recovery Agent certificate to the keymaster@contoso.internal account.

  2. Incorrect This step is not required. The keymaster@contoso.internal account requires a Key Recovery Agent certificate rather than an Administrator certificate.

  3. Incorrect By default, Windows Server 2003 CAs are already able to issue EFS Recovery Agent certificates. An EFS Recovery Agent certificate cannot be used as a Key Recovery Agent on a Windows Server 2003 enterprise root CA.

  4. Correct This allows the keymaster@contoso.internal account to request and enroll itself in this particular type of certificate without the intervention of the CA certificate manager.

  5. Correct This allows key recovery agent certificates to be issued by the enterprise root CA.

  6. Correct This is the final step in setting up a recovery agent: selecting an account that has the correct Key Recovery Agent certificate installed, installing that certificate, and then restarting Certificate Services.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net