You have an enterprise subordinate certification authority (CA) configured for key archival.
Three key recovery agent certificates are issued. The CA is configured to use two recovery
agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new
private keys.
What should you do?

A.
Add a data recovery agent to the Default Domain Policy.

B.
Modify the value in the Number of recovery agents to use box.

C.
Revoke the current key recovery agent certificates and issue three new key recovery
agent certificates.

D.
Assign the Issue and Manage Certificates permission to users who have the key recovery
agent certificates.

Explanation:
MS Press – Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page
357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console
by selecting the Archive The Key option and specifying a key recovery agent. In the number
of recovery agents to use, select the number of key recovery agent (KRA) certificates you
have added to the CA. This ensures that each KRA can be used to recover a private key. If
you specify a smaller number than the number of KRA certificates installed, the CA will
randomly select that number of KRA certificates from the available total and encrypt the
private key, using those certificates. This complicates recovery because you then have to
figure out which recovery agent certificate was used to encrypt the private key before
beginning recovery.