单选题You are the network administrator for your company. The network contains a single Active Directory domain. All computers on the network are members of the domain. All domain controllers run Windows Server 2003.   You are planning a public key infrastru

第1题：

Your network consists of a single Active Directory domain. All domain controllers run Windows Server  2008 R2.   You need to capture all replication errors from all domain controllers to a central location.  What should you do（）

• A、Configure event log subscriptions.
• B、Start the System Performance data collector set.
• C、Start the Active Directory Diagnostics data collector set.
• D、Install Network Monitor and create a new capture.

第2题：

You are the network administrator for your company. The network consists of a single Active Directory domain. All computers on the network are members of the domain. The domain contains a Windows Server 2003 computer named Server1. You are planning a public key infrastructure （PKI） for the company. You want to deploy a certification authority （CA） on Server1. You create a new global security group named Cert Administrators. You need to delegate the tasks to issue， approve， and revoke certificates to members of the Cert Administrators group.  What should you do？（）

• A、 Add the Cert Administrators group to the Cert Publishers group in the domain.
• B、 Configure the Certificates Templates container in the Active Directory configuration naming context to assign the Cert Administrators group the Allow - Write permission.
• C、 Configure the CertSrv virtual directory on Server1 to assign the Cert Administrators group the Allow - Modify permission.
• D、 Assign the Certificate Managers role to the Cert Administrators group.

第3题：

You are a network administrator for your company. The network consists of a single Active Directory domain. The domain contains three Windows Server 2003 domain controllers， 20 Windows Server 2003 member servers， and 750 Windows XP Professional computers. The domain is configured to use only Kerberos authentication for all server connections.A user reports that she receives an "Access denied" error message when she attempts to connect to one of the member servers. You want to test the functionality of Kerberos authentication on the user’s client computer.  Which command should you run from the command prompt on the user’s computer？（）

• A、netsh
• B、netdiag
• C、ktpass
• D、ksetup

第4题：

Your network consists of a single Active Directory domain. The network contains a Terminal Server that runs Windows Server 2008， and client computers that run Windows Vista. All computers are members of the domain.   You deploy an application by using the TS RemoteApp Manager. The Terminal Servers security layer is set to Negotiate.  You need to ensure that domain users are not prompted for credentials when they access the application. What should you do？（）

• A、On the server， modify the Password Policy settings in the local Group Policy.
• B、On the server， modify the Credential Delegation settings in the local Group Policy.
• C、On all client computers， modify the Password Policy settings in the local Group Policy.
• D、On all client computers， modify the Credential Delegation settings in the local Group Policy.

第5题：

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003 You upgrade all domain controllers to Windows Server 2008 You need to configure the Active Directory environment to support the application of multiple password policies What should you do（）

• A、Create multiple Active Directory sites.
• B、On all domain controllers， run dcpromo /adv.
• C、On one domain controller， run dcpromo /adv.
• D、Raise the functional level of the domain to Windows Server 2008.

第6题：

第7题：

第8题：

第9题：

第10题：

第11题：

第12题：

第13题：

You are a network administrator for your company. All domain controllers run Windows Server 2003. The network contains 50 Windows 98 client computers， 300 Windows 2000 Professional computers， and 150 Windows XP Professional computers.   According to the network design specification， the Kerberos version 5 authentication protocol must be used for all client computers on the internal network.   You need to ensure that Kerberos version 5 authentication is used for all client computers on the internal network.   What should you do？  （）

• A、 On each domain controller， disable Server Message Block （SMB） signing and encryption of the secure channel traffic.
• B、 Replace all Windows 98 computers with new Windows XP Professional computers.
• C、 Install the Active Directory Client Extensions software on the Windows 98 computers.
• D、 Upgrade all Windows 98 computers to Windows NT Workstation 4.0.

第14题：

You are the network administrator for your company. The network consists of a single Active Directory domain. All computers on the network are members of the domain. All servers run Windows Server 2003 and all client computers run Windows XP Professional.  You are planning a security update infrastructure.   You need to find out which computers are exposed to known vulnerabilities. You need to collect the information on existing vulnerabilities for each computer every night. You want this process to occur automatically.  What should you do？ （）

• A、 Schedule the secedit command to run every night.
• B、 Schedule the mbsacli.exe command to run every night.
• C、 Install Microsoft Baseline Security Analyzer （MBSA） on one of the servers. Configure Automatic Updates on all other computers to use that server.
• D、 Install Software Update Services （SUS） on one of the servers. Configure the SUS server to update every night.

第15题：

You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008. You need to reset the Directory Services Recovery Mode （DSRM） password on a domain controller. What tool should you use（）

• A、dsmod
• B、ntdsutil
• C、Local Users and Groups snap-in
• D、Active Directory Users and Computers snap-in

第16题：

You are a security administrator for your company. The network consists of a single Active Directory domain. All client computers run Windows XP Professional. All servers run Windows Server 2003. All computers on the network are members of the domain.    Traffic on the network is encrypted by IPSec. The domain contains a custom IPSec policy named Lan Security that applies to all computers in the domain. The Lan Security policy does not allow unsecured communication with non-lPSec-aware computers. The company’s written security policy states that the configuration of the domain and the configuration of the Lan Security policy must not be changed. The domain contains a multihomed server named Server1. Server1 isconnected to the company network， and Server1 is also connected to a test network. Currently， the Lan Security IPSec policy applies to network traffic on both network adapters in Server1. You need to configure Server1 so that it communicates on the test network without IPSec security. Server1 must still use the Lan Security policy when it communicates on the company network.  How should you configure Server1？（）

• A、 Configure a packet filter for the network adapter on the test network to block the Internet Key Exchange （IKE） port.
• B、 Configure the network adapter on the test network to disable IEEE 802.1x authentication.
• C、 Configure the network adapter on the test network to enable TCP/IP filtering， and then permit all traffic.
• D、 Use the netsh command to assign a persistent IPSec policy that permits all traffic on the network adapter on the test.
• E、 Assign an IPSec policy in the local computer policy that permits all traffic on the network adapter on the test.

第17题：

You are the network administrator for your company. The network contains a single Active Directory domain. All computers on the network are members of the domain. All domain controllers run Windows Server 2003.   You are planning a public key infrastructure （PKI）. The PKI design documents for your company specify that certificates that users request to encrypt files must have a validity period of two years.   The validity period of a Basic EFS certificate is one year. In the Certificates Templates console， you attempt to change the validity period for the Basic EFS certificate template. However， the console does not allow you to change the value.  You need to ensure that you can change the value of the validity period of the certificate that users request to encrypt files. What should you do？  （）

• A、 Install an enterprise certification authority （CA） in each domain.
• B、 Assign the Domain Admins group the Allow - Full Control permission for the Basic EFS certificate template.
• C、 Create a duplicate of the Basic EFS certificate template. Enable the new template for issuing certificate authorities.
• D、 Instruct users to connect to the certification authority （CA） Web enrollment pages to request a Basic EFS certificate.

第18题：

第19题：

第20题：

第21题：

第22题：

第23题：

第24题：