Objective 3.3 Exchange 2010

Question 1

You can use the EMS ______ cmdlet to change the certificate that verifies a trust. If you want to change this certificate, you need first to discover the thumbprint of the new certificate. You deploy the certificate on all Hub Transport servers and Client Access servers in your Exchange organization, identify the certificate as the next certificate, and then use the Set-FederationTrust cmdlet with the PublishFederationCertificate switch to configure the trust to use this certificate as the current certificate. For example, the following two commands configure the federation trust named Microsoft Federation Gateway to use the certificate with the thumbprint AC00F-12CBA8358253F412FD0984B5CCAF2AF4F27 as the next certificate and then deploy it as the current certificate: ______.

Answer 1

Set-FederationTrust,

Set-FederationTrust -Identity “Microsoft Federation Gateway” -Thumbprint AC00F12CBA8358253F412FD0984B5CCAF2AF4F27

Set-FederationTrust –Identity “Microsoft Federation Gateway” -PublishFederationCertificate

Question 2

When you create a federation trust, you need to obtain the thumbprint of a trusted third-party CA that can validate the trust. For example, the following command creates a federation trust named Microsoft Federation Gateway using the thumbprint of an exportable certificate: ______.

Answer 2

New-FederationTrust -Name “Microsoft Federation Gateway” –Thumbprint AC00F12CBA8358253F412FD0984B5CCAF2AF4F27

Question 3

The domain used for establishing a federation trust must be resolvable from the ______. A locally generated self-signed certificate ______ be used for this purpose.

Answer 3

Internet,

cannot

Question 4

Remember that you need to obtain an ______ certificate from a trusted external CA before you can create a federation trust.

Answer 4

X.509

Question 5

You should be aware that in order to use the Microsoft Federation Gateway, you must enroll your ______ cluster.

Answer 5

Active Directory Rights Management Services (AD RMS)

Question 6

You can enroll by using the default AD RMS cluster certificate. You can also enroll with a valid trusted certificate, provided you know the thumbprint of that certificate. For example, the following command enrolls by using the default AD RMS cluster certificate: ______.

The second command enrolls by using a certificate with the thumbprint of AC00F12CBA8358253F412FD0984B5CCAF2AF4F27: ______.

Answer 6

Install-RmsMfgEnrollment

Install-RmsMfgEnrollment -CertificateThumbprint AC00F12CBA8358253F412FD0984B5CCAF2AF4F27

Question 7

You need to configure DNS with a ______ resource record that provides proof-of-ownership for your domain name.

Answer 7

TXT

Question 8

You can obtain the application identifier by using the EMS ______ cmdlet. For example, the following command retrieves properties (including identifiers) of federation trusts configured for the organization: ______.

Answer 8

Get-FederationTrust,

Get-FederationTrust | FL

Question 9

Remember that the proof-of-ownership (or application identifier) is stored in DNS as a ______ resource record.

Answer 9

TXT

Question 10

The exam might test that you know how to create and configure an organizational relationship. You can use the ______ Wizard in the EMC for this task. If instead you choose to use the EMS, you must access the Federated Organization Identifier (OrgID) by using the EMS ______ cmdlet. You then pipe the output from this cmdlet into the ______ cmdlet. For example, the following command creates an organization relationship with the Contoso organization, enabling free/busy information and specifying that the requesting organization receives free/busy, subject, and location information from the target organization: ______.

Answer 10

New Organizational Relationship,

Get-FederationInformation,

New-OrganizationRelationship

Get-FederationInformation -DomainName Contoso.com | New-OrganizationRelationship -Name “Contoso” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails

Question 11

If you enable the sharing of free/busy information, you can configure one of three levels of access. You can configure the following levels of access: ______.

Answer 11

1. No Calendar sharing
2. Calendar sharing with free or busy information only
3. Calendar sharing with free or busy information, plus subject and location

Question 12

You can use the ______ cmdlet to change settings of an organizational relationship. For example, the following command disables the organization relationship with Contoso: ______.

Answer 12

Set-OrganizationRelationship,

Set-OrganizationRelationship -Identity “Contoso” -Enabled $false

Question 13

You can use the EMS ______ cmdlet to configure federated organization identifiers. You configure a federated organization identifier to create an account namespace for your Exchange organization with the Microsoft Federation Gateway and enable federation so that you can make use of the facilities that federation provides. For example, the following command configures and enables a federated organization identifier for the Adatum.com Exchange organization: ______.

Answer 13

Set-FederatedOrganizationIdentifier,

Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway” -AccountNamespace “Contoso.com” -Enabled $true

Question 14

You might need to register multiple domain names in your Active Directory forest with Microsoft Federation Gateway. Although you can use a wildcard certificate, such as *.adatum.com, there are security implications in doing this. A more secure alternative is to list each of the required domains as ______ in the trusted X.509 certificate.

Answer 14

SANs

Question 15

You use the EMS Get-Mailbox cmdlet to obtain the mailbox or mailboxes to which you want to apply the sharing policy and the EMS ______ cmdlet to apply the policy. For example, the following command configures all mailboxes associated with the Marketing department to use the Adatum Marketing federated sharing policy: ______.

Answer 15

Set-Mailbox,

Get-Mailbox –Filter {Department –eq “Marketing”} | Set-Mailbox –SharingPolicy “Adatum Marketing”

Question 16

To enable federated sharing, you need to register your organization with the Microsoft Federation Gateway. You then configure a federated sharing relationship with another organization that also registers with the Microsoft Federation Gateway, which acts as a ______ for all connections that the organizations make with each other.

Answer 16

hub

Question 17

When you enable federation sharing, all interorganizational communication is sent through your organization’s ______ servers so that federated sharing works with any client that can connect to Exchange 2010, including OWA, Outlook 2003, Outlook 2007, and Outlook 2010.

Answer 17

Exchange 2010

Question 18

To implement federated sharing, you need to establish the following three components in Exchange 2010: ______.

Answer 18

1. A federation trust
2. An organization identifier
3. A sharing relationship with the organizations with which your organization shares data

Question 19

You can use the EMS ______ cmdlet to add a specified domain to an existing federation trust. For example, the following command adds the domain mail.adatum.com:

Answer 19

Add-FederatedDomain,

Add-FederatedDomain –DomainName mail.adatum.com

Question 20

You configure the properties of a trust by using the ______ cmdlet (not the New-FederationTrust cmdlet).

Answer 20

Set-FederationTrust

Question 21

You should know that a federated organization defines what authoritative ______ in an Exchange organization are available for federation.

Answer 21

domains

Question 22

You should be aware that the first domain you specify with the organization identifier is known as the account ______.

Answer 22

namespace

Question 23

An organization’s federated organization identifier is generally created by using the organization’s primary domain name and configuring the AccountNamespace parameter of the ______ cmdlet with this value.

Answer 23

Set-FederatedOrganizationIdentifier

Question 24

Before you can configure a sharing relationship with another organization, both organizations must configure a federation trust with the Microsoft ______ Gateway.

Answer 24

Federation

Question 25

You can use the EMS ______ cmdlet to create a relationship with an external Microsoft Exchange Server 2010 organization. For example, the following command creates an organization relationship with the Adatum.com forest; free/busy access is enabled and the requesting organization receives time, subject, and location information from the target organization: ______.

Answer 25

New-OrganizationRelationship,

Get-FederationInformation -DomainName Adatum.com | New-OrganizationRelationship -Name “Adatum” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails.

Question 26

The default sharing policy is not assigned to any mailboxes by default. If you want to enable users to participate in federated sharing, you can add their ______ to the default sharing policy or create a new sharing policy.

Answer 26

mailboxes

Question 27

Creating or configuring a sharing policy requires that a ______ trust has been created between your Exchange 2010 organization and the Microsoft Federation Gateway and the federated organization identifier is configured.

Answer 27

federation

Question 28

You can use the EMS ______ cmdlet to create a sharing policy and the Set-SharingPolicy cmdlet to modify a policy. For example, the following command creates a sharing policy called Blue Sky Airlines for the mail.BlueSkyAirlines.com domain, which is external to your organization. This policy allows users in the mail.BlueYonderAirlines.com domain to see detailed free/busy information and contacts. By default, the policy is enabled: ______.

Answer 28

New-SharingPolicy,

New-SharingPolicy -Name “Blue Sky Airlines” -Domains ‘mail.BlueYonderAirlines.com: CalendarSharingFreeBusyDetail, ContactsSharing’

Question 29

The following command modifies a sharing policy named Contoso for the contoso.com domain, which is external to your organization. Users in the Contoso domain can see your users’ availability (free/busy) information: ______.

Answer 29

Set-SharingPolicy -Identity Contoso -Domains ‘contoso.com: CalendarSharingFreeBusySimple, Contacts’

Question 30

You can use the ______ cmdlet (not the Set-SharingPolicy cmdlet) to get details about a sharing policy. For example, the following command displays all the available information for the sharing policy for Blue Yonder Airlines: ______.

Answer 30

Get-SharingPolicy,

Get-SharingPolicy “Blue Yonder Airlines” | FL

Question 31

If you no longer require a sharing policy, you can remove it by using the EMS ______ cmdlet. However, you cannot remove a sharing policy that has ______ assigned to it, and you first need to assign them to another policy.

Answer 31

Remove-SharingPolicy,

mailboxes

Question 32

You can use the EMS ______ cmdlet to list role assignees. The following command lists details of the federated sharing management role, including a list of groups, users, or universal security groups assigned to the role: ______.

Answer 32

Get-ManagementRoleAssignment,

Get-ManagementRoleAssignment -Role “Federated Sharing” | FL

Question 33

You can add assignees, both users and groups, to the federated sharing management role. For example, the following command assigns the federated sharing role to the Adatum Federation role group and applies the Organization predefined scope: ______.

Answer 33

New-ManagementRoleAssignment -Name “Federated Sharing Adatum Federation” -SecurityGroup “Adatum Federation” -Role “Federated Sharing” -RecipientRelativeWriteScope Organization

Question 34

You can remove role groups, users, and universal security groups from this management role. However, there must always be at least one ______ role assignment for this role granted to a role group or universal security group.

Answer 34

delegating

Question 35

If you remove the role assignment between the management role group and the federated sharing management role, all members of the role group lose the ability to manage federated sharing. If you want to remove the permissions from one member only, you need instead to remove that member from the management role group. The following command removes the management role assignment named Federated Sharing Adatum Federation from the federated sharing role group: ______.

Answer 35

Remove-ManagementRoleAssignment “Federated Sharing Adatum Federation”

Question 36

You are configuring federation for the contoso.com domain. You have stored the application identifier (or proof-of-ownership) used for the federated trust in a DNS record. What type of DNS record do you use?

Answer 36

A DNS TXT resource record.

Question 37

What EMS command do you issue to create an organizational relationship with the Adatum organization, enabling free or busy information and specifying that the requesting organization receives free/busy, subject, and location information from the target organization?

Answer 37

You issue the following command:

Get-FederationInformation -DomainName Adatum.com | New-OrganizationRelationship -Name “Adatum” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel –LimitedDetails

Question 38

What type of certificate do you need to establish a federation trust?

Answer 38

You need to submit a valid X.509 certificate issued by an external CA trusted by Windows Live Domain Services.

Question 39

What EMS command do you issue to list details of the federated sharing management role, including a list of groups, users, and universal security groups assigned to the role?

Answer 39

You issue the following command:

Get-ManagementRoleAssignment -Role “Federated Sharing” | FL

Question 40

What EMS cmdlet can you use to create a sharing policy, and what EMS cmdlet lets you modify such a policy?

Answer 40

You use the New-SharingPolicy cmdlet in the EMS to create a sharing policy and the Set-SharingPolicy cmdlet to modify a policy.