70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Online Class

Demo Question 10.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. All servers on the EliteCertify.com network run Windows Server 2003 and all client computers run Windows XP Professional. The EliteCertify.com network contains a domain controller named EliteCertify -DC03 that is the enterprise root certification authority (C

A. on the network. EliteCertify.com makes use of IPSec connections to secure data communications between computers on the EliteCertify.com network and computers of other companies. To enable secure data communications, all computers on the EliteCertify.com network must be able to establish and use IPSec connections when connecting to other computers. The IPSec connections also require computer certificates. You must configure the EliteCertify.com network to ensure that all computers establish IPSec connections with other computers. How will you accomplish this task? Navigate to the computer settings area of the Default Domain Policy Group Policy object (GPO). Configure the domain members to always digitally encrypt or sign secure channel data.
B. In the settings area of the Default Domain Policy Group Policy object (GPO), define a new automatic certificate request.
C. Acquire a new computer certificate from a public CA and then import a copy of this certificate into the Trusted Root Certification Authorities area of the Default Domain Policy Group Policy object (GPO).
D. Use EliteCertify -DC03 to issue a new computer certificate. Make a copy of the new computer certificate available on an internal Web page which users can access. Inform all users to install the certificate in their trusted certificate store when they initially need to establish an IPSec connection.


Display Answer

Answer: D

Explanation: Enterprise CAs are integrated into the Active Directory directory service. They use certificate templates, publish their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically. Because the clients of an enterprise CA must have access to Active Directory to receive certificates, enterprise CAs are not suitable for issuing certificates to clients outside the enterprise. Enterprise CAs requires and uses Active Directory to issue certificates, often automatically. An IPSec connection comprises of two modes: Main mode and Quick mode. Main Mode is the first part of an IPSec connection. In Main Mode, each computer authenticates to the other and then IKE is used to calculate the master key. All other keys are generated from the master key. An IKE security association (SA. is created over which Quick Mode can be negotiated. Quick Mode is the second phase of IPSec. In Quick Mode, agreement is reached for the encryption, integrity algorithms, and other policy settings. Two SAs are created, one incoming and one outgoing. Incorrect answers: A. Always digitally encrypting or signing secure channel data does not necessarily ensure the ability to make IPSec connections. B. An automatic certificate request in the computer settings section of the Default Domain GPO is not the solution. C. Obtaining a new certificate from a public CA is not going to ensure that all computers will have the ability to make IPSec connections. What is needed is to have a new computer certificate issued from your enterprise CA which should be installed on users' trusted certificate store. Reference: J. C. Mackin, Ian McLean, MCSA/MCSE self-paced training kit (exam 70-291): Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure, Microsoft Press, Redmond, Washington, 2004, p.11: 88 James Chellis, Paul Robichaux, and Matthew Sheltz, MCSA/MCSE. Windows Server 2003 Network Infrastructure Implementation, Management, and Maintenance Study Guide, Sybex Inc., Alameda, 2004, p. 11: 15