How can you make sure that all client computers use Kerberos authentication when users log in to the domain?
How would you enable an Active Directory global group named CA-Admins to issue, revoke and approve certificates without assigning more permissions than necessary?
How could you configure the servers to enable you to recover from this type of failure as quickly as possible if this type of problem happens again?