Exam MS-203 topic 3 question 31 discussion

C is correct

on exam 12/9/22

04/16/2022 - on the exam

I will go with C as the correct answer. The question specifically states "assigned in the Microsoft Office 365 Exchange Hybrid Configuration wizard" In the Hybrid Deployment Prerequisites here: https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites The certificate requirements state: Certificates: Assign Exchange services to a valid digital certificate that you purchased from a trusted public certificate authority (CA). Although you should use self-signed certificates for the on-premises federation trust with the Microsoft Federation Gateway, you can't use self-signed certificates for Exchange services in a hybrid deployment. The EWS external URL and the Autodiscover endpoint that you specified in your public DNS must be listed in the Subject Alternative Name (SAN) field of the certificate. The certificates that you install on the Exchange servers for mail flow in the hybrid deployment must all be issued by the same certificate authority and have the same subject. Only Cert 4 and 5 meet these requirements.

Correct Answer should be Cert1 and Cert5 Cert1: Exchange federation: A self-signed certificate is used to create a secure connection between the on-premises Exchange servers and the Azure Active Directory authentication system Cert5" When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers. Nowhere mentioned that you can use Internal CA, please share link if anyone has it to support the internal CA as answer https://docs.microsoft.com/en-us/exchange/certificate-requirements#:~:text=When%20configuring%20a%20hybrid%20deployment%2C%20you%20must%20use,Client%20Access%20%28Exchange%202013%20and%20older%29%20servers.%20Important

Correct answer: B. Cert3 and Cert5 only, Modern Hybrid Topology with Hybrid Agent can use Internal CA.

Assuming * means *.contose.com, it's C. * certificates don't exist, but only 5 is not an option. 3rd party cert is required.

cert 2 and 5

I think it refers to wilcards certificates for the domain you own: *.yourdomain.com. Obviously you can not buy a * certificates for thw whole Internet. A requisite when buying certificates related to a domain is verify that you own it.

Anyone know where I can buy a publicly signed cert for "*"? Lol. Silly answer.

Hybrid deployment require Public certificate (SAN), there for Cert4 and Cert5.

You can't generate a public cert for the name *, so this answer doesn't make sense.