- Home
- Server Administration
- Windows
- Networking with Windows server 2016 (70-741)
16.
You are responsible for managing your DNS environment. You have a UNIX BIND DNS server named BIND1 that is the master authoritative server for the zone pearson.com with TSIG protection enabled. You want to use a Windows Server 2016 DNS server named SEC1 as the secondary DNS server for this zone. You want to use an additional layer of security for zone transfer between BIND1 and SEC1. Which technology enables you to accomplish this?
- A.TSIG
- B.IPsec
- C.HMAC-MD5
- D.GSS-TSIG
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| You can secure the zone transfer from BIND1 to SEC1 through IPsec. You cannot use the Transaction Signature (TSIG) network protocol and TSIS resource records for that because Microsoft DNS servers do not support TSIG; instead, they use GSS-TSIG. It is not possible to configure Windows Servers running Microsoft DNS service to perform zone transfers from servers running BIND DNS configured as the master with TSIG protection. You also cannot use the HMAC-MD5 algorithm because Windows Server 2016 does not support this. |
17.
You have a forest environment with the following domains: pearson.com, eu.pearson.com, usa.pearson.com, pearsonucertify.com, eu.pearsonucertify.com, and usa.pearsonucertify.com. Every domain has two domain controllers with AD-integrated DNS servers. Each DNS server is authoritative for the name resolution in its own domain. You plan to implement additional DNS servers in usa.pearsonucertify.com. DNS servers in usa.pearson.com must automatically know about the new DNS servers in usa.pearsonucertify.com. Which of the following is the best solution to accomplish this?
- A.Conditional forwarding on DNS servers in usa.pearson.com
- B.File-based stub zone on DNS servers in usa.pearson.com
- C.AD-integrated stub zone on DNS servers in usa.pearson.com
- D.Secondary zone usa.pearsonucertify.com on DNS servers in usa.pearson.com
- Answer & Explanation
- Report
Answer : [C]
Explanation :
Explanation :
|
You should create an AD-integrated stub zone on DNS servers in usa.pearson.combecause all DNS server records (NS records) in usa.pearsonucertify.com will be transferred from the DNS servers (master) in usa.pearsonucertify.com to the stub zone DNS server in usa.pearson.com. You must select the stub zone type for the usa.pearson.com zone because the NS and A records of the DNS servers in usa.pearsonucertify.com are interesting only for you to know, not for clients or other servers. When you know the IP addresses of the new DNS servers in the zone usa.pearsonucertify.com through the stub zone, you can implement conditional forwarding on the DNS servers of usa.pearson.com to the new DNS servers of usa.pearsonucertify.com. When you create a conditional forwarder on a DNS server in usa.pearson.com, you can do that only if you know about the IP address of the DNS servers you want to forward. You must get that IP address automatically through the use of a stub zone. You also can use a file-based stub zone, but this is not the best solution; you get more security and automatic replication of the stub zone to the other AD-integrated DNS server in the same domain only if you integrate the stub zone into Active Directory. Creating a secondary zone also will deliver NS and A records of the DNS server from usa.pearsonucertify.com, but it will do so for all other resource records as well (clients and other servers); this is not necessary because you have to know only about DNS servers. |
18.
Which command can you use to enable GlobalNames zones? (Choose two.)
- A.Set-DnsServerGlobalNameZone
- B.Dnscmd
- C.Set-DnsServer
- D.Set-DnsServerPrimaryZone
- Answer & Explanation
- Report
Answer : [A, B]
Explanation :
Explanation :
| You can use the dnscmd command-line utility and the Set-DnsServerGlobalNameZone PowerShell cmdlet to enable GlobalNames support. |
19.
You want to sign DNS resource records with NSEC3 and RSA/SHA-2. Which Windows server version can use both standards?
- A.Windows Server 2008
- B.Windows Server 2012
- C.Windows Server 2012 R2
- D.Windows Server 2016
- Answer & Explanation
- Report
Answer : [D]
Explanation :
Explanation :
| Since Windows Server 2016, a DNS server supports the standards NSEC3 and RSA/SHA-2. |
20.
You want to get information about DNSKEY record behaviors on your Windows Server 2016 DNS server and your zone pearson.com. You use the following PowerShell command: $stat = Get-DnsServerStatistics -ZoneName pearson.com. Now you must use the correct command to get that information you need. Which command do you use?
- A.$stat.ZoneQueryStatistics
- B.$stat.ZoneUpdateStatistics
- C.$stat.ZoneTransferStatistics
- D.$stat.RRLStatistics
- Answer & Explanation
- Report
Answer : [A]
Explanation :
Explanation :
| With Windows Server 2016, you have enhanced zone-level statistics possibilities. You can use ZoneQueryStatistics to get information about DNSKEY records on your DNS server. You cannot use ZoneUpdateStatistics because that gives you information about dynamic update behaviors. You cannot use ZoneTransferStatistics because that gives you information about zone transfer between master and secondary DNS servers. You cannot use RRLStatistics because that gives you information about Response Rate Limiting (RRL) behaviors, which is a new feature of Windows Server 2016. |
|
|
||||||||||||||||||||||||||||
