单选题Your network contains a stand-alone root certification authority （CA）. You have a server named Server1 that runs Windows Server 2008 R2.  You issue a server certificate to Server1. You deploy Secure Socket Tunneling Protocol （SSTP） on Server1.   You ne

第1题：

You need to design phase one of the new authentication strategy. Your solution must meet business requirements.What should you do？（）

• A、Install a Windows Server 2003 enterprise root CA, Configure certificate templates for autoenrollment
• B、Install a Windows Server 2003 enterprise subordinate CA, Configure certificate templates for autoenrollment
• C、Install a Windows Server 2003 stand-alone subordinate CA, Write a logon script for the client computers in the HR department that contains the Certreq.execommand
• D、Install a Windows Server 2003 stand-alone root CA,Write a logon script for the client computers in the HR department that contains the Certreq.execommand

第2题：

Your network contains a Network Policy and Access Services server named Server1. All certificates in theorganization are issued by an enterprise certification authority (CA) named Server2. You have a standalonecomputer named Computer1 that runs Windows 7. Computer1 has a VPN connection that connects toServer1 by using SSTP. You attempt to establish the VPN connection to Server1 and receive the followingerror message: A certificate chain processed, but terminated in a root certificate which is not trusted by thetrust provider. You need to ensure that you can successfully establish the VPN connection to Server1.  What should you do on Computer1?（）

• A、Import the root certificate to the user s Trusted Publishers store.
• B、Import the root certificate to the computer s Trusted Root Certification Authorities store.
• C、Import the server certificate of Server1 to the user s Trusted Root Certification Authorities store.
• D、Import the server certificate of Server1 to the computer s Trusted Root Certification Authorities store.

第3题：

Your network contains a DNS server named Server1 that runs Windows Server 2008 R2.Root hints for Server1 are configured as shown in the exhibit. (Click the Exhibit button.)You need to add root hints to Server1.What should you do first？（）

• A、Disable recursion.
• B、Delete the . (root) zone.
• C、Restart the DNS Server service.
• D、Remove all conditional forwarders.

第4题：

Your company has a single Active Directory directory service domain. All servers in your environment run Windows Server 2003. You have a stand-alone server that serves as a Stand-alone root certification authority （CA）. You need to ensure that a specific user can back up the CA and configure the audit parameters on the CA.  What should you do？（）

• A、 Assign the user account to the CA Admin role.
• B、 Add the user account to the local Administrators group.
• C、 Grant the user the Back up files and directories user right.
• D、 Grant the user the Manage auditing and security log user right.

第5题：

Your network contains a stand-alone certification authority (CA) and a Web server. The Web server hosts a secure Web site. The Web site uses a server certificate that was issued from the CA. Users report that they receive a certificate warning message when they connect to the Web site. You need to prevent users from receiving the certificate warning message when they connect to the Web site. What should you do from the Internet Options in Internet Explorer?（） 

• A、Import the CA certificate to the trusted root CA certificate store. 
• B、Import the server authentication certificate to the trusted publishers certificate store.
• C、Clear the Check for publisher's certificate revocation check box. 
• D、Clear the Require server verification (https:) for all sites in this zone check box for the Trusted sites zone.

第6题：

Your network is configured as shown in the following diagram.You deploy an enterprise certification authority （CA） on the internal network. You also deploy a Microsoft   Online Responder on the internal network.   You need to recommend a secure method for Internet users to verify the validity of individual certificates.   The solution must minimize network bandwidth. What should you recommend？（）

• A、Deploy a subordinate CA on the perimeter network.
• B、Install a stand-alone CA and the Network Device Enrollment Service （NDES） on a server on the perimeter network.
• C、Install a Network Policy Server （NPS） on a server on the perimeter network. Redirect authentication  requests to a server on the internal network.
• D、Install Microsoft Internet Information Services （IIS） on a server on the perimeter network. Configure IIS  to redirect requests to the Online Responder on the internal network.

第7题：

Your company has an Active Directory domain. All servers run Windows Server 2008 R2.  Your  company uses an Enterprise Root certification authority （CA） and an Enterprise Intermediate CA.  The Enterprise Intermediate CA certificate expires.    You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain. What should you do（）

• A、Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.
• B、Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA  server.
• C、Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers  group policy object.
• D、Import the new certificate into the Intermediate Certification Store in the Default Domain group policy  object.

第8题：

Your company’s network includes client computers that run Windows 7. You design a wireless network to use Extensible Authentication Protocol-Transport Level Security （EAP-TLS）.   The Network Policy Server has a certificate installed.   Client computers are unable to connect to the wireless access points.    You need to enable client computers to connect to the wireless network.   What should you do？（）

• A、Configure client computers to use Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 （PEAP-MS-CHAP v2）.
• B、Configure client computers to use Protected Extensible Authentication Protocol-Transport Layer Security （PEAP-TLS）.
• C、Install a certificate in the Trusted Root Certification Authorities certificate store.
• D、Install a certificate in the Third-Party Root Certification Authorities certificate store.

第9题：

Your network contains an Active Directory forest. The forest contains two domains.  You have a standalone root certification authority （CA）.   On a server in the child domain， you run the Add Roles Wizard and discover that the option to select an  enterprise CA is disabled.   You need to install an enterprise subordinate CA on the server.   What should you use to log on to the new server（）

• A、an account that is a member of the Certificate Publishers group in the child domain
• B、an account that is a member of the Certificate Publishers group in the forest root domain
• C、an account that is a member of the Schema Admins group in the forest root domain
• D、an account that is a member of the Enterprise Admins group in the forest root domain

第10题：

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The network contains 100 servers and 5,000 client computers. The client computers run either Windows XP Service Pack 1 or Windows 7. You need to plan a VPN solution that meets the following requirements:   èStores VPN passwords as encrypted text  èSupports Suite B cryptographic algorithms èSupports automatic enrollment of certificates   èSupports client computers that are configured as members of a workgroup What should you include in your plan?（） 

• A、Upgrade the client computers to Windows XP Service Pack 3. Implement a stand-alone certification authority （CA）. Implement an IPsec VPN that uses certificate-based authentication.
• B、Upgrade the client computers to Windows XP Service Pack 3. Implement an enterprise certification authority （CA） that is based on Windows Server？2008 R2. Implement an IPsec VPN that uses Kerberos  authentication.
• C、Upgrade the client computers to Windows 7. Implement an enterprise certification authority （CA） that is  based on Windows Server 2008 R2. Implement an IPsec VPN that uses pre-shared keys.
• D、Upgrade the client computers to Windows 7. Implement an enterprise certification authority （CA） that is  based on Windows Server 2008 R2. Implement an IPsec VPN that uses certificate-based authentication.