Your company, which is named Contoso, Ltd., has offices only in North America.
The company has 2,000 users.
The network contains an Active Directory domain named contoso.com.
You plan to deploy an Active Directory Certificate Services (AD CS) infrastructure and assign certificates to all client computers.
You need to recommend a PKI solution to protect the private key of the root certification authority (CA) from being accessed by external users.
What should you recommend? More than one answer choice may achieve the goal. Select the BEST answer.

A.
An offline standalone root CA and an online enterprise issuing CA

B.
An online enterprise root CA and an online enterprise issuing CA

C.
An offline standalone root CA and an offline enterprise issuing CA

D.
An online enterprise root CA, an online enterprise policy CA, and an online enterprise issuing CA

Explanation:
Notes:
The Public Key Infrastructure Public Key Infrastructure (PKI) supported by Microsoft a hierarchical Certification Authority model. A certification hierarchy provides
scalability, ease of use and consistency with the growing number of commercial and other certification bodies. In its simplest form, a certification hierarchy consists
of a single certification body. In general, however, a hierarchy contains multiple CAs with clearly defined relations between parent and child CAs. In this model, the
subordinate CAs are certified by the documents issued by the respective parent CA certificates, through which the public key of a certification body will be bound to
the identity. The uppermost certification body in a hierarchy is referred to as root certification authority. The CAs below the root CAs are called subordinate CAs. If a
root certification authority in Windows XP and the Windows Server 2003 family as trustworthy considered (because the associated certificate is stored in the
certificate store Trusted Root Certification Authorities), are all subordinate CAs in the hierarchy than trustworthy classified, unless the certificate of a subordinate CA
has been banned by the issuing CA or has expired. Root Certification Authorities provide extremely important trust points in an organization is and should be
protected and managed in accordance with. To protect safety reasons and to the certification body from possible attacks by unauthorized persons on the network,
can be used as root of the certification hierarchy a standalone CA are used that the post-certification Issuing CA goes offline. In order to use the possibilities of
certificate auto-enrollment within the domain environment, the issuing CA type companies should be.
http://technet.microsoft.com/en-us/library/cc737481(v=ws.10).aspx