You have an enterprise subordinate certification authority (CA) configured for key archival.
Three key recovery agent certificates are issued.
The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private
keys.
What should you do?

A.
Add a data recovery agent to the Default Domain Policy.

B.
Modify the value in the Number of recovery agentsto use box.

C.
Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.

D.
Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.

Explanation:
Reference:
MS Press – Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009)
page 357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selectingthe
Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select
the number of key recovery agent (KRA) certificatesyou have added to the CA. This ensures that each KRA
can be used to recover a private key. If you specify a smaller number than the number of KRA certificates
installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the
private key, using those certificates. This complicates recovery because you then have to figure out which
recovery agent certificate was used to encrypt the private key before beginning recovery.