You need to design the public key infrastructure (PKI) for the Willow Bridge, Ltd.
network. Take care that you solution meet the requirements.
Leading the way in IT testing and certification tools, www.certifyme.com
- 53 -
What should you do? (Each correct answer presents part of the solution. Choose
TWO.)
A. Place a root enterprise CA in the Chicago office and issuing subordinate enterprise
CAs in Detroit, Los Angeles, and New York.
B. Place a root enterprise CA in the Chicago office and issuing subordinate enterprise
CAs in Chicago, Detroit, Los Angeles, and New York
C. Place a root standalone CA in the Chicago office and issuing subordinate enterprise
CAs in Detroit, Los Angeles, and New York.
D. Configure certificate templates for autoenrollment.
E. Configure cross-certification between the willowbridge.com domain and the bilco.com
domain
F. Configure certificate templates for manual enrollment.
Answer: B, D
Explanation: A root enterprise CA placed in Chicago and issuing subordinate CAs in all
the locations will result in a minimization of WAN traffic, even in the event of a WAN
failure.350-001 Autoenrollment of certificate templates will reduce PKI administrative
requirements and will allow users and computers to be issued with certificates
automatically, no user intervention. A PKI relies heavily on Active Directory information
to determine the identity of the requester and for storage of certificate information. And
enterprise CA is thus recommended especially since a large number of certificates will be
enrolled and approved automatically.640-802 It is mentioned in the scenario:
1. The Willow Bridge, Ltd. PKI should be tightly integrated with Active Directory
2. All solutions must ensure that WAN traffic is kept to a minimum.
3. Certificates should be distributed to network users.
These certificates should not require user intervention.
Incorrect answers:
A: You should also place an issuing subordinate enterprise CA in the Chicago office as
this will reduce WAN traffic considerably, especially in the case of WAN failure. If the
WAN link fails then the Chicago users' requests will not be fulfilled.
C: You should not deploy a root standalone CA because it is not integrated with Active
Directory and one of the requirements states that it must be tightly integrated with Active
Directory.VCP-310 Standalone CAs does not support V2 certificate templates, and therefore will
not support autoenrollment which is another requirement since certificates should be
issued without requiring user intervention.
E: Configuring cross-certification between the willowbridge.com domain and the
bilco.com domain will not address the requirements stated.
F:
Leading the way in IT testing and certification tools, www.certifyme.com
- 54 -
Manual enrollment goes hand-in-hand with standalone CAs. You cannot configure
autoenrollment as standalone CAs do not offer support and will require user intervention.
Reference:
Elias N. Khnaser, Susan Snedak, Chris Peiris & Rob Amini, MCSE Designing Security
for a Windows Server 2003 Network Exam 70-298 Study Guide, Chapter 3, p. 186
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment