Feedback
Home
You may like this!
46.
You are the administrator of pearson.com. You have configured DNSSEC on your Windows Server 2016 DNS servers. You want your SMTP mail servers to validate each other’s TLS certificate. For that, you add some records to your DNS zone, as in the following PowerShell command: 
Add-DnsServerResourceRecord 
-TLSA 
-Name _25._tcp 
-ZoneName pearson.com 
-CertificateUsage DomainIssuedCertificate 
-Selector SubjectPublicKeyInfo 
-MatchingType Sha256Hash 
-CertificateAssociationPath 831B8309F329E52731A
Which new Windows Server feature allows you to add such records?
  • A.
    DANE
  • B.
    DNS policies
  • C.
    Response Rate Limiting
  • D.
    Unknown record support
  • E.
    IPv6 root hints
  • Answer & Explanation
  • Report
Answer : [D]
Explanation :
You should use unknown record support because, with the newly added support for unknown record types (RFC 3597), you can add previously unsupported record types such as TLSA into Windows DNS server zones in binary format.
In this example, a TLSA record is added. TLSA records are required for DANE. Other examples for such unknown record types are SMIMEA, OPENPGPKEY, TA, and TALINK. You should not use DANE because DANE is a validation mechanism to validate certificates and certificate authorities.
DANE servers can verify whether a certificate really comes from the relevant CA. You should not use DNS Policies because this feature (also a new Windows Server 2016 feature) controls how a DNS Server handles queries based on different parameters.
For example, you might create a DNS Policy to respond to a query asking for the IP address of a web server with a different IP address, based on the closest datacenter to the client. You should not use Response Rate Limiting because this feature (also a new Windows Server 2016 feature) tries to extenuate DNS amplification attacks. It does not allow you to add unknown records such as TLSA records.
You should not use IPv6 root hints because this feature (also a new Windows Server 2016 feature) allows a Windows Server 2016 DNS server to use IPv6 root servers for name resolution.
Report
Name Email  
47.
You must create a TLSA record for a server authentication certificate signed from your internal enterprise root ca. The certificate is for your web server named SRV01.pearson.com. You want to add the TLSA record correctly on your Windows Server 2016 DNS server and verify it. Determine the necessary steps for this process and put them in the correct order.
  • A.
    Fill in the Usage, Selector, and Matching Type fields.___________
  • B.
    Use the thumbprint of your certificate as the CertificateAssociationData parameter value on your Add-DnsServerResourceRecord command.______________
  • C.
    Paste the X.509 binary data of the certificate into the TLSA record generator.______________
  • E.
    Export the X.509 binary certificate data to the .CER file.______________
  • F.
    Fill in the transport protocol with TCP.______________
  • G.
    Fill in the domain name with srv01.pearson.com.______________
  • H.
    Fill in the domain name with pearson.com.______________
  • I.
    Open the TLSA record generator.______________
  • J.
    Select Generate.______________
  • K.
    Use the key value from the generated TLSA record as the CertificateAssociationData parameter value on your Add-DnsServerResourceRecord command.______________
  • L.
    Add the TLSA record with Add-DnsServerResourceRecord ______________
  • Answer & Explanation
  • Report
Answer : [C]
Explanation :
This is the correct order of steps:
1. e. Export the X.509 binary certificate data to the .CER file. 2. i. Open the TLSA record generator.
3. a. Fill in the Usage, Selector, and Matching Type fields.
4. c. Paste the X.509 binary data of the certificate into the TLSA record generator.
5. d. Fill in the port number with 443.
6. f. Fill in the transport protocol with TCP.
7. h. Fill in the domain name with pearson.com.
8. j. Select Generate.
9. k. Use the key value from the generated TLSA record as the Certificate-AssociationData parameter value on your Add-DnsServerResourceRecord command.
10. l. Add the TLSA record with Add-DnsServerResourceRecord.
The following steps are incorrect: b. Use the thumbprint of your certificate as the CertificateAssociationData parameter value on your Add-DnsServerResourceRecord command. (You cannot use the thumbprint of a certificate as the CertificateAssociationData parameter value for your Add-DnsServer ResourceRecord command. You need the value generated through the TLSA record generator.)
g. Fill in the domain name with srv01.pearson.com. (You must use the name of the zone for the domain name parameter.)
Report
Name Email  
48.
You want to update your DNSSEC implementation. Which of the following is the proper procedure if you plan to deploy a new planned certificate chain related to DANE and TLSA records?
  • A.
    Leave the existing TLSA records and publish TLSA records that match the planned certificate chain. After deploying the planned certificate chain, remove the old TLSA records.
  • B.
    Remove the current TLSA records. Publish the TLSA records that match the planned certificate chain.
  • C.
    Publish the TLSA records that match the planned certificate chain and overwrite the current TLSA records with the settings of the new TLSA records.
  • D.
    Publish the TLSA records that match the planned certificate chain. Edit the existing TLSA records.
  • Answer & Explanation
  • Report
Answer : [A]
Explanation :
Before you deploy the planned certificate chain, make sure that the TLSA records that match the planned certificate chain are published in addition to the records that match the current chain. After deploying the planned certificate chain, you can remove the TLSA records that match the previous chain. When your TLSA records are CNAME records pointing to a location where your organization’s issuing authority maintains suitable TLSA records for you, you can deploy new certificates from that authority without updating the server’s TLSA records. The burden of key rollover falls on that authority before it issues any certificates via a new certificate or key. Editing existing TLSA records to match a new certificate chain is not supported or recommended.
Report
Name Email  
49.
You want to migrate the DHCP configuration (including scope configuration) of an existing Windows Server 2012 R2 DHCP server to a new Windows Server 2016 DHCP server. Which PowerShell command should you use?
  • A.
    Export-DhcpServer
  • B.
    Import-DhcpServer
  • C.
    Backup-DhcpServer
  • D.
    Restore-DhcpServer
  • Answer & Explanation
  • Report
Answer : [A]
Explanation :
With the PowerShell cmdlet Export-DhcpServer, you can export the complete DHCP Server configuration, including scope configuration, to an XML file. This exports or backs up only the configuration settings, not the DHCP data. This is exactly what the question asks for. You can transfer the settings from one DHCP server to another, but not the DHCP data. With the PowerShell cmdlet Import-DhcpServer, you can import the previously exported DHCP configuration data into your new Windows Server 2016 DHCP server. With the Backup-DhcpServer PowerShell cmdlet, you perform a complete backup of all DHCP data (DHCP leases, reservation leases, and so on). With the Restore-DhcpServer PowerShell cmdlet, you can restore DHCP data.
Report
Name Email  
50.
You manage a domain named pearson.com. You have a Windows Server 2016 DHCP server named DHCP1 and you want to implement DHCP failover with hot standby mode. You want to choose DHCP2, which is a Windows Server 2016 Nano Server, as a partner server. Which changes must you make so that you can use DHCP2 as a DHCP failover replication partner for DHCP1? (Choose two.)
  • A.
    Authorize DHCP server DHCP2 in ADDS
  • B.
    Add DHCP server DHCP2 to the domain pearson.com
  • C.
    Replace DHCP2 with a Windows Server 2016 Datacenter server
  • D.
    Install the DHCP server role on DHCP2 and authorize DHCP2
  • Answer & Explanation
  • Report
Answer : [C, D]
Explanation :
On a Windows Server 2016 Nano Server, running a DHCP Server service is not possible. Therefore, you have to replace the Nano Server with a Windows Server 2016 Datacenter server with GUI or Server Core, install the DHCP server role, and authorize that server in ADDS. Then you can add DHCP2 as a DHCP failover replication partner. You cannot authorize DHCP2 in ADDS because you cannot install a DHCP server role on it. You can add DHCP2 to the domain pearson.com; however, it is still not a DHCP server and cannot work as a DHCP failover replication partner for DHCP1.
Report
Name Email  
 
  © 2024 infibee.com. All Rights Reserved.   Copyright | Privacy Policy | Sitemap  
Contact us on : info@infibee.com  
 
 
Share   Facebook   Twitter   Google +   Digg