ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-742 All Questions

View all questions & answers for the 70-742 exam
Go to Exam

Exam 70-742 topic 1 question 232 discussion

Actual exam question from Microsoft's 70-742
Question #: 232
Topic #: 1
[All 70-742 Questions]

You have an Active Directory Rights Management Services (AD RMS) server named RMS1. Multiple documents are protected by using RMS1.
RMS1 fails and cannot be recovered. You install the AD RMS server role on a new server named RMS2. You restore the AD RMS database from RMS1 to RMS2.
Users report that they fail to open the protected documents and to protect new documents.
You need to ensure that the users can access the protected content.
What should you do?

  • A. From Active Directory Rights Management, update the Service Connection Point (SCP) for RMS1.
  • B. From DNS, create an alias (CNAME) record for RMS2.
  • C. From DNS, modify the service location (SRV) record for RMS1.
  • D. From RMS2, register a service principal name (SPN) in Active Directory.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by paprda at Aug. 5, 2019, 9:01 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
paprda
Highly Voted 5 years, 9 months ago
see it would be B https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff660011(v%3dws.10)
upvoted 10 times
Bobgross
5 years, 2 months ago
"CNAME records are important for several reasons. First, when you create a piece of content, the URL for the AD RMS server is embedded into the header of it. When a user attempts to consume this content, it is this URL that is used to obtain a use license. If you originally installed AD RMS using the FQDN of the physical AD RMS server as the URL and this were to ever change, documents with the old URL would be inaccessible." This looks correct. B unless anyone has documentation to prove otherwise
upvoted 4 times
lbs
5 years ago
I agree. Correct answer is B
upvoted 1 times
GenjamBhai
4 years, 9 months ago
B is ok
upvoted 3 times
GenjamBhai
4 years, 9 months ago
CNAME redirects traffic to RMS1 to RMS2. SPNs are usually needed for custom services, Windows Server roles register SPNs automatically when installing. SCP update will work for new docs not existing docs as they store the SCP locally.
upvoted 2 times
...
...
...
...
...
coleman
Highly Voted 5 years, 5 months ago
the answer should be B. From DNS, create an alias (CNAME) record for RMS2. After a file is encrypted by RMS1, it marks static service connection point into the encrypted file as follow:- htttps://rms1.contoso.com/_wmcs/licensing Therefore, if you moved the service to RMS2 and update the SCP in active directory, this only affect plaintext file at their first time encryption, therefore Answer A is incorrect. For existing file marked with above static service connection point URL, they need name resolution systems to redirect them to new RMS2, therefore Answer B is the correct solution for existing file to be decrypted with retrieve RMS license issued by RMS2.
upvoted 6 times
...
yesboet
Most Recent 4 years, 5 months ago
this says that it is D https://www.briefmenow.org/microsoft/you-need-to-ensure-that-the-users-can-access-the-protec/
upvoted 1 times
...
Loose_Poet
4 years, 8 months ago
The question states that users can not open document nor can they protect new ones. This speaks of service given by RMS which tells me that the CNAME has been updated when the second server was installed for the fact that the get to the documents but don't have rights to open them. I would go for the D (SPN).
upvoted 3 times
Shashi_Shetty
4 years, 5 months ago
If it has been decided to use a different AD RMS URL instead of the actual/old one, then the following additional actions are necessary: When content protected by the old/non-existent AD RMS servers is consumed, the request for use license will be generated for the old AD RMS URL as indicated in the publishing license (PL). To ensure clients can resolve the old AD RMS URL to the IP address of the new AD RMS server or to the load balanced IP address you will need to make the correpsonding changes in the DNS data. The SSL certificate used to bind with AD RMS website needs to accommodate both the new and old AD RMS URL’s. Typically a SAN (Subject Alternate Names) certificate is a good fit which can hold multiple URL entries. Alternately, a wild card certificate can also be used. reference - https://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-rights-management-services.aspx#Recovering_from_a_catastrophic_cluster_and_database_failure
upvoted 1 times
...
...
Kamikazekiller
4 years, 9 months ago
B. From DNS, create an alias (CNAME) record for RMS2.
upvoted 2 times
...
khalid86
4 years, 12 months ago
The link posted by @paprda is depicting the same scenario of this question and it is from Microsoft. So the correct answer is B.
upvoted 2 times
...
Dhelailla
5 years ago
I agree with BrownHornet. Answer should be "B" See: "2.3.1 Restoring AD RMS services when contingency database server is not available" of the site: https://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-rights-management-services.aspx#Restoring_AD_RMS_services_when_contingency_database_server_is_not_available
upvoted 2 times
...
BrownHornet
5 years, 2 months ago
Answer should be "B" You need to create CNAME record instead of pointing to the physical server (RMS2). https://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-rights-management-services.aspx
upvoted 3 times
...
Nhan
5 years, 2 months ago
Users report that they fail to open the protected documents and to protect new documents => the users are able to access the documents just cant open, update the DNS server record either CNAME or SRV record wont help at all. in this case D is correct answer you need to updatye SPN name record
upvoted 3 times
...
Nhan
5 years, 3 months ago
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. D is not a correct answer
upvoted 3 times
...
weng
5 years, 6 months ago
Service Principal Names (SPNs) are registered by services in order for clients to identify them in a domain. Before a client can connect to a service, it must compose the SPN for that instance of service, connect to the service, and finally present the SPN for authentication via Kerberos. SPN is a unique identifier of a service instance. A SPN must be registered with Active Directory, which assumes the role of the Key Distribution Center (KDC) in a Windows domain.
upvoted 3 times
...
panda
5 years, 6 months ago
I think B is correct. In this case updating SCP is also correct. However in A it is RMS1 updating SCP for. If A is "updating SCP for RMS2", A is also correct.
upvoted 1 times
...
dan
5 years, 6 months ago
B would be correct if it for for the database supporting the AD RMS
upvoted 1 times
...
dan
5 years, 7 months ago
so is the answer correct for windows 2016?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago