Your network consists of an Active Directory domain. The domain controllers run Windows Server
2008 R2. Client computers run Windows 7. You need to implement Encrypting File System (EFS) for
all client computers. You want to achieve this goal while meeting the following requirements:
• You must minimize the amount of data that is transferred across the network when a user
logs on to or off from a client computer.
• Users must be able to access their EFS certificates on any client computers.
• If a client computer’s disk fails, EFS certificates must be accessible.
What should you do?

A.
Enable credential roaming.

B.
Enable roaming user profiles.

C.
Enable a Data Recovery Agent.

D.
Issue smart cards to all users.

Explanation:

Configuring Credential Roaming
Credential roaming allows for the storage of certificates and private keys within Active Directory. For
example, a user’s encrypting file system certificate can be stored in Active Directory and provided to
the user when she logs on to different computers within the domain. The same EFS certificate will
always be used to encrypt files.
This means that the user can encrypt files on an NTFS-formatted USB storage device on one
computer and then decrypt them on another, because the EFS certificate will be transferred to the
second computer’s certificate store during the logon process.Credential roaming also allows for all of
a user’s certificates and keys to be removed when he logs off of the computer.
Credential roaming is enabled through the Certificate Services Client policy, located under User
Configuration\Policies\Windows Settings\Security Settings\Public Key Policies and shown in Figure
10-4.

Figure 10-4Credential Roaming Policy
Credential roaming works in the following manner. When a user logs on to a client computer in a
domain where the Credential Roaming Policy has been enabled, the certificates in the user’s store
on the client computer are compared to certificates stored for the user within Active Directory.
■If the certificates in the user’s certificate store are up to date, no further action is taken.
■If more recent certificates for the user are stored in Active Directory, these credentials are copied
to the client computer.
■If more recent certificates are located in the user’s store, the certificates stored in Active Directory
are updated.
Credential roaming synchronizes and resolves any conflicts between certificates and private keys
from any number of client computers that a user logs on to, as well as certificates and private keys
stored within Active Directory. Credential roaming is triggered whenever a private key or certificate
in the local certificate store changes, whenever the user locks or unlocks a computer, and whenever
Group Policy refreshes. Credential roaming is supported on Windows Vista, Windows Server 2008,
Windows XP SP2, and Windows Server 2003
SP1.
MORE INFO More on credential roaming
For more information on configuring credential roaming, consult the following TechNet link:http
://technet2.microsoft.com/windowsserver2008/en/library/fabc1c44-f2a2-43e1-b52e-
9b12a1f19a331 033.mspx?mfr=true