Your network consists of an Active Directory domain. The domain controllers run Windows Server 2008 R2. Client computers run Windows 7.
You need to implement Encrypting File System (EFS) for all client computers.
You want to achieve this goal while meeting the following requirements:
– You must minimize the amount of data that is transferred across the network when a user logs on to or off from a client computer.
– Users must be able to access their EFS certificates on any client computers.
– If a client computer’s disk fails, EFS certificates must be accessible.
What should you do?
A.
Enable credential roaming.
B.
Enable roaming user profiles.
C.
Enable a Data Recovery Agent.
D.
Issue smart cards to all users.
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:Configuring Credential Roaming
Credential roaming allows for the storage of certificates and private keys within Active Directory. For example, a users encrypting file system certificate can be stored in Active Directory and provided to the user when she logs on to different computers within the domain. The same EFS certificate will always be used to encrypt files. This means that the user can encrypt files on an NTFS-formatted USB storage device on one computer and then decrypt them on another, because the EFS certificate will be transferred to the second computers certificate store during the logon process.Credential roaming also allows for all of a users certificates and keys to be removed when he logs off of the computer.Credential roaming is enabled through the Certificate Services Client policy, located under User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies and shown in Figure 10-4.
Figure 10-4Credential Roaming Policy
Credential roaming works in the following manner. When a user logs on to a client computer in a domain where the Credential Roaming Policy has been enabled, the certificates in the users store on the client computer are compared to certificates stored for the user within Active Directory.
If the certificates in the users certificate store are up to date, no further action is taken.
If more recent certificates for the user are stored in Active Directory, these credentials are copied to the client computer.
If more recent certificates are located in the users store, the certificates stored in Active Directory are updated.Credential roaming synchronizes and resolves any conflicts between certificates and private keys from any number of client computers that a user logs on to, as well as certificates and private keys stored within Active Directory. Credential roaming is triggered whenever a private key or certificate in the local certificate store changes, whenever the user locks or unlocks a computer, and whenever Group Policy refreshes. Credential roaming is supported on Windows Vista, Windows Server 2008, Windows XP SP2, and Windows Server 2003 SP1.
MORE INFO More on credential roaming
For more information on configuring credential roaming, consult the following TechNet link:http://technet2.microsoft.com/windowsserver2008/en/library/fabc1c44-f2a2-43e1-b52e- 9b12a1f19a331 033.mspx?mfr=true