Microsoft 70-411 Exam – Q56

Your network contains an Active Directory domain named contoso.com. The domain does not contain a certification authority (CA). All servers run Windows Server 2012 R2. All client computers run Windows 8.

You need to add a data recovery agent for the Encrypting File System (EFS) to the domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. From Windows PowerShell, run Get-Certificate.
B. From the Default Domain Controllers Policy, select Create Data Recovery Agent.
C. From the Default Domain Policy, select Add Data Recovery Agent.
D. From a command prompt, run cipher.exe.
E. From the Default Domain Policy, select Create Data Recovery Agent.
F. From the Default Domain Controllers Policy, select Add Data Recovery Agent.

Correct Answer: A, C

Explanation:
CONFIGURING THE EFS RECOVERY AGENT
If for some reason, a person leaves the company or a person loses the original key and the encrypted files cannot be read, you can set up a data recovery agent (DRA) that can recover EFS-encrypted files for a domain. To define DRAs, you can use Active Directory group policies to configure one or more user accounts as DRAs for your entire organization. However, to accomplish this, you need to have an enterprise CA.

ADD RECOVERY AGENTS FOR EFS
To add new users as recovery agents, assign the EFS recovery certificates issued by the enterprise CA to the user account, and then perform the following steps:

1. Log in as the DRA account.
2. Open the Group Policy Management console.
3. Expand Forest, Domains, and then the name of your domain.
4. Right-click the Default Domain Policy and click Edit.
5. Expand Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\.
6. Right-click Encrypting File System, and select Create Data Recovery Agent.
7. Click Encrypting File System and notice the certificates that are displayed.
8. Close the Group Policy Editor.
9. Close Group Policy Management console.

(Administering Windows Server® 2012, Exam 70-411, Microsoft® Official Academic Course, Patrick Regan, 2013, John Wiley & Sons, Inc., p. 196.)

The Get-Certificate cmdlet can be used to submit a certificate request and install the resulting certificate, install a certificate from a pending certificate request, and enroll for ldap. If the request is issued, then the returned certificate is installed in the store determined by the CertStoreLocation parameter and return the certificate in the EnrollmentResult structure with status Issued. If the request is made pending, then the request is installed in the machine REQUEST store and a request is returned in the EnrollmentResult structure with status Pending.