AZ-801 Question #87: Real Exam Question with Answer & Explanation

Question

Where should you install the Password Export Server (PES) service, where should you generate the encryption key? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Explanation

This question tests knowledge of Microsoft Identity Manager (MIM) Password Synchronization architecture, specifically the correct placement of the Password Export Server (PES) service and where its encryption key must be generated to enable secure cross-domain or cross-forest password sync.

Approach. The Password Export Server (PES) service must be installed on each Domain Controller in the source domain, because it operates as a password change notification filter at the OS level - it can only intercept password changes where they originate (on the DC itself). The encryption key, however, must be generated on the MIM Synchronization Server (the server running the MIM Sync Service), which acts as the central orchestrator. The key is then exported from MIM Sync and imported onto the domain controllers where PES is installed, so that password data is encrypted in transit between the DC and the MIM Sync server. Getting either placement wrong breaks the trust chain and prevents password export from functioning.

Concept tested. Microsoft Identity Manager (MIM) Password Synchronization - correct installation topology: PES on Domain Controllers (source domain), encryption key generated on the MIM Synchronization Server.

Reference. Microsoft Docs: 'MIM 2016 Password Change Notification Service on Domain Controller' - docs.microsoft.com/en-us/microsoft-identity-manager/infrastructure/mim2016-password-management

No community discussion yet for this question.