Latest 2017 Networking with windows server 2016 Exam Dump questions and answers with exaplanations for exam preparators. Page 7 -- Infibee

Feedback

Home

General Knowledge
General Aptitude
General English
Networking
Interview Questions
- .NET
- Java
- ASP.NET
- C++
- Perl
- Python
- Ruby and Rails
- Struts
- Core Java
- Hibernate
- DB2
- MS SQL Server
- MySQL
- Oracle
- SQL
- DBMS
- Data Warehousing
- Data structures and Algorithms
- CCNA
- CCNP Routing
- CCNP Switching
- Internetworking
- Border Gateway Protocol
- MCSE
- Exchange Server
- Windows Server 2008
- DNS & Active Directory
- Firewall Questions
- Unix
- Linux Server Administrator
- Linux System Administrator
- Linux File Manipulation
Database

Home
Server Administration
Windows
Networking with Windows server 2016 (70-741)

31.

You want to enable DNSSEC verification for your Windows Server 2016 DNS server. Which setting or command can you use?

A.
Advanced tab of DNS server properties
B.
(Get-DnsServer).DNSSetting.EnableDnsSec
C.
Get-DnsServerDnsSecZoneSetting
D.
DnsCmd.exe <servername> /Config /enableDNSSEC 2

Answer & Explanation
Report

Answer : [B]
Explanation :

In versions before Windows Server 2016, it was possible to enable or disable DNSSEC validation on the Advanced tab of the DNS server. In Windows Server 2016 DNS server, this setting is no longer possible. Instead, you can use PowerShell to enable or disable DNSSEC validation. You can do this with the following PowerShell command: (Get-DnsServer).DNS Setting.EnableDnsSec. With the PowerShell cmdlet Get-DnsServerDnsSecZoneSetting, you can verify DNSSEC zone settings. With the dnscmd.exe command, you also can enable DNSSEC validation on a Windows Server 2016 DNS server, but you must use 1 instead of 2 for the EnableDNSSEC parameter.

Report

Name

32.

You are responsible for the domain pearson.com. You don’t use hardware solutions to safeguard cryptographic keys. You have three domain controllers with the DNS server role installed: DC1, DC2, and DC3 (RODC). The DNSSEC key master DC1 for the file-based zone pearson.com goes offline. You try to transfer the DNSSEC key master role from DC1 to DC2. You get the following message: “The DNS server DC1.pearson.com is the Key Master, Status: Inactive.” DC1 cannot be recovered. You want to seize the key master role to DC2. You not want to redistribute trust anchors. From which location can DC2 get private key data for the zone?

A.
Certificate
B.
Active Directory on DC2
C.
Active Directory on DC3
D.
HSM

Answer & Explanation
Report

Answer : [B]
Explanation :

If the key master DC1 is offline and cannot be recovered, it is still possible to move the role to another server. This is known as seizing. When you want to seize the key master role, DC2 must have access to the zone’s existing private key data. This is the case if the keys are stored in AD (only for AD-integrated zones) or another shared location, such as a certificate or hardware security module (HSM).
If the zone’s private key data is not available, the role can still be seized, but new keys must be generated and the zone must be re-signed with them. Any distributed trust anchors for the zone must then be redistributed. Because you have no hardware solution (HSM module) in this scenario, you cannot get the key data from there. The zone is a file-based zone. When an AD-integrated zone is signed with DNSSEC, the private keys are also replicated to all DNS servers running DCs, with one exception: Private keys are not replicated to an RODC. Replication is not done to DC3, then, because it is an RODC. This is the reason you cannot get key data from Active Directory; you can get key data only from a certificate in this case.

Report

Name

33.

You want to add a DS record to your Windows Server 2016 DNS server. Which of the following configuration options is not a valid solution?

A.
DNSSEC Zone Signing Wizard
B.
DS resource record set
C.
DNS Manager
D.
PowerShell

Answer & Explanation
Report

Answer : [A]
Explanation :

You cannot use the DNSSEC Zone Signing Wizard to create DS records with that wizard. Only DNSKEY records can be automatically created through the wizard.
After you create them, you can view them in the DNS Manager in the TrustPoints folder. You can use the DS record set (DSSET), a file in the C:\ windows\system32\dns folder, to import DS records. You can import DS records from that file with the following PowerShell command for a zone named pearson.com: Import-DnsServerResourceRecordDS -ZoneName pearson.com -DSSetFile “c:\windows\system32\dns\dsset-pearson.com. You also manually can add DS records with the DNS Manager or directly through PowerShell.

Report

Name

34.

You unsign the zone pearson.com on a Windows Server 2016 DNS server. After doing so, you notice that validation requests fail and DNS resolution for the zone fails. Which component do you need to remove to solve the problem?

A.
RRSIG records
B.
Trust anchor
C.
NRPT settings
D.
RRset

Answer & Explanation
Report

Answer : [B]
Explanation :

If trust anchors are not removed when a zone is unsigned, DNS servers will continue to attempt validation of DNS responses for the zone. However, this validation will fail and, therefore, DNS resolution for the zone will fail. When you unsign the zone, all RRSIG records automatically are removed from the zone if you use the DNSSEC Zone Signing Wizard for that. The NRPT settings do not have to be reconfigured because the DNSSEC clients still have to be enabled for DNSSEC to use it with other DNSSEC-enabled DNS servers or zones. The RRset is a set of DNSSEC records and is removed automatically through the unsigning process.

Report

Name

35.

You plan to roll over a DNSSEC KSK that is waiting for a parent DS update. You manually have updated the DS record in the parent zone. Now you want to force the rollover. Which PowerShell cmdlet can you use?

A.
Invoke-DnsServerSigningKeyRollover
B.
Step-DnsServerSigningKeyRollover
C.
Enable-DnsServerSigningKeyRollover
D.
Grant-HgsKeyProtectorAccess

Answer & Explanation
Report

Answer : [B]
Explanation :

You can force the rollover with the PowerShell cmdlet Step-DnsServerSigningKey Rollover. For example, you can get the keys for the signed zone sec.pearson.com with the following PowerShell cmdlet: Get-DnsServerSigningKey -ZoneName “sec.pearson.com”. After that, you can force the KSK rollover that is waiting for a parent DS update on sec.pearson.com with the following PowerShell command: Step-DnsServerSigning KeyRollover -KeyID -ZoneName “sec.pearson.com” -force.
With the PowerShell cmdlet Invoke-DnsServerSigning KeyRollover, you can initiate a rollover of input keys for the specified DNS zone. With the PowerShell cmdlet Enable-DnsServerSigning KeyRollover, you can enable rollover on the input key. With the Grant-HgsKeyProtectorAccess PowerShell cmdlet, you can grant access to a Host Guardian Service (HGS) for a key protector. The HGS is used to protect Hyper-V shielded virtual machines. This has nothing to do with the question and, therefore, is a wrong answer.

Report

Name

Pages
1
2
3
4
5
6
7
8
9
10