Your network contains an Active Directory forest named contoso.com. The forest contains an
enterprise root certification authority (CA) named CA1. The network contains a server named EX1
that has Exchange Server 2013 installed. A partner company named A . Datum Corporation has an
Active Directory domain named adatum.com. The domain contains a server named EX5 that has
Exchange Server 2010 Service Pack 2 (SP2) installed. EX5 has a Receive connector that is configured
for mutual TLS. Users in contoso.com plan to send email messages that contain sensitive data to
users in adatum.com. You need to ensure that all of the email messages sent from contoso.com to
adatum.com are encrypted by using TLS. The solution must ensure that EX1 and EX5 validate server
certificates. Which three actions should you perform? (Each correct answer presents part of the
solution. Choose three.)
A.
Run the set-transportconfig -tlssenddomainsecurelist contoso.com command.
B.
Install a certificate, and then assign the certificate to the IIS service. Send the root certificate for
contoso.com to the administrators in adatum.com.
C.
Run the New-SendConnector cmdlet and specify the domainsecureenabled parameter.
D.
Run the New-SendConnector cmdlet and specify the tlsdomainparameter.
E.
Run the set-transportconfig -tlssenddomainsecurelist adatum.com command.
F.
Install a certificate, and then assign the certificate to the SMTP service. Send the root certificate
for contoso.com to the administrators in adatum.com.
Explanation:
A: Use the Set-TransportConfig cmdlet to modify the transport configuration settings for the whole
Exchange organization.
The TLSSendDomainSecureList parameter specifies the domains from which you want to send
domain secured email by using mutual TLS authentication.
In this scenario we send from EX1 in the contoso.com domain.
D: Need to create a new send connector.
The TlsDomain parameter specifies the domain name that the Send connector uses to verify the
FQDN of the target certificate when establishing a TLS secured connection.
F: A new certificate is needed for the SMTP service.
I’m thinking C, E, and F.
https://technet.microsoft.com/en-us/library/bb123543%28v=exchg.141%29.aspx
You are correct.
The answer should be:
E. Run the set-transportconfig -tlssenddomainsecurelist adatum.com command.
C. Run the New-SendConnector cmdlet and specify the domainsecureenabled parameter.
F. Install a certificate, and then assign the certificate to the SMTP service. Send the root
certificate for contoso.com to the administrators in adatum.com.
——————–
E
Because the question requires to ensure that all of the email messages sent from contoso.com to adatum.com
are encrypted by using TLS.
So the value of -tlssenddomainsecurelist should be adatum.com
https://technet.microsoft.com/en-us/library/bb123543(v=exchg.141).aspx#Step3
————————
C
Because the default value for DNSRoutingEnabled is set $true and A value for TlsDomain parameter is required if DNSRoutingEnabled parameter is set to $false.
The DomainSecureEnabled parameter enables mutual Transport Layer Security (TLS) authentication for the domains serviced by the Send connector when set to $true. Mutual TLS authentication functions correctly only if the following conditions are met:
DomainSecureEnabled is set to $true.
DNSRoutingEnabled is set to $true.
IgnoreSTARTTLS is set to $false.
The DNSRoutingEnabled parameter specifies whether the Send connector uses Domain Name System (DNS) to route mail. Valid values for this parameter are $true or $false. The default value is $true. If you specify a SmartHosts parameter, the DNSRoutingEnabled parameter must be $false.
The TlsDomain parameter specifies the domain name that the Send connector uses to verify the FQDN of the target certificate when establishing a TLS secured connection.
This parameter is used only if the TlsAuthLevel parameter is set to DomainValidation.
A value for this parameter is required if:
The TLSAuthLevel parameter is set to DomainValidation.
The DNSRoutingEnabled parameter is set to $false (smart host Send connector).
https://technet.microsoft.com/en-us/library/aa998936%28v=exchg.150%29.aspx
I disagree.
A is correct rather than E.
https://technet.microsoft.com/en-us/library/bb124151%28v=exchg.150%29.aspx
Read it yourself,it is black and white there:
The TLSSendDomainSecureList parameter specifies the domain FROM which you want to send domain secured email by using mutual TLS authentication.
You are sending FROM contoso, and TLSSendDomainSecureList specifies the domain FROM.
So A is correct, not E.
The correct answers are A,C and F. I am 100% sure!
The article that you mention above has a small error when it comes to the tlssenddomainsecurelist parameter.
Please check the following two articles:
1) http://social.technet.microsoft.com/wiki/contents/articles/17842.configuring-domain-security-on-exchange-server-2013.aspx
2) https://technet.microsoft.com/en-us/library/bb124151%28v=exchg.150%29.aspx .
Quote: “TLSSendDomainSecureList parameter specifies the domains from which you want to send domain secured email by using mutual TLS authentication.”
So in this case, answer A is correct and not E, as we manage the contoso side and want to send emails from contoso to adatum.
I found it is a bit of a toss between C and D.
I mean the question didn’t say anything about the SendConnector in CONTOSO environment is already enabled for MTLS, so that makes me think C should be the correct answer.
But when I read the question, it says “The solution must ensure that EX1 and EX5 validate server certificates. “,
And then, Technet says “The TlsDomain parameter specifies the domain name that the Send connector uses to “VERIFY THE FQDN OF THE TARGET CERTIFICATE” when establishing a TLS secured connection.”
I am wondering if you don’t specify TLSDomain parameter, will that cause the servers to stop verifying each other’s certificates.
I am not sure.