Your network contains an Active Directory domain named contoso.com. The domain does not contain a
certification authority (CA). All servers run Windows Server 2012. All client computers run Windows 8.You
need to add a data recovery agent for the Encrypting File System (EFS) to the domain. Which two actions
should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
From Windows PowerShell, run Get-Certificate.
B.
From the Default Domain Controllers Policy, select Create Data Recovery Agent.
C.
From the Default Domain Policy, select Add Data Recovery Agent.
D.
From a command prompt, run cipher.exe.
E.
From the Default Domain Policy, select Create Data Recovery Agent.
F.
From the Default Domain Controllers Policy, select Add Data Recovery Agent.
Get-Certificate
Submits a certificate request to an enrollment server and installs the response or retrieves a certificate for a previously submitted request.
http://technet.microsoft.com/en-us/library/hh848632.aspx
http://technet.microsoft.com/en-us/library/cc776181(v=ws.10).aspx
I think this is C & D, Not A & C.
Get-certificate get a certificate from a CA – which we don’t have. Surely cipher /r would be the command?
http://www.cram.com/flashcards/70-411efs-bitlocker-4663052 suggests the same.
MWB, is right; http://technet.microsoft.com/en-us/library/cc771346.aspx
cipher /r: “Generates an EFS recovery agent key and certificate, then writes them to a .pfx file (containing certificate and private key) and a .cer file (containing only the certificate). If /smartcard is specified, it writes the recovery key and certificate to a smart card, and no .pfx file is generated.”
it’s C and D
http://blogs.technet.com/b/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
It has been said that domain does not contain CA.So i think answer should be D instead of A. Agree with sysadmin
C and D
Get-certificate is to be used with a CA and question mentions that there is no CA.
So C & D it is?
Can someone please explain why not Create Recovery agent instead of Add?
I tested it in my lab.
When you open the domain policy and go to the Encrypting File System settings, it gives you two options.
Create a recovery agent
Add recovery agent.
When I tried to “create a recovery agent” it said “Windows cannot create a recovery agent. The requested certificate teamplate is not supported by this CA”.
I guess this is because I have no CA in my lab.
On the other hand “Add recovery agent” lets you add an existing certificate.
So I guess “Add recovery agent” is correct.
it is D and E