DNSSEC Validation for fabrikam.com Namespace | Windows Server Hybrid Core Infrastructure Exam | Microsoft

Configure DNSSEC Validation

Prev Question Next Question

Question

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains a DNS server named Server1. Server1 hosts a DNS zone named fabrikam.com that was signed by DNSSEC.

You need to ensure that all the member servers in the domain perform DNSSEC validation for the fabrikam.com namespace.

What should you do?

Answers

A. On Server1, run the Add-DnsServerTrustAnchor cmdlet.

B. On each member server, run the Add-DnsServerTrustAnchor cmdlet.

C. From a Group Policy Object (GPO), add a rule to the Name Resolution Policy Table (NRPT).

D. From a Group Policy Object (GPO), modify the Network List Manager policies.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

To ensure that all the member servers in the domain perform DNSSEC validation for the fabrikam.com namespace, you need to configure the Name Resolution Policy Table (NRPT) using Group Policy Object (GPO). The correct answer is C.

Here is a detailed explanation of each answer choice:

A. On Server1, run the Add-DnsServerTrustAnchor cmdlet. This answer choice is incorrect because running the Add-DnsServerTrustAnchor cmdlet on Server1 will only add a trust anchor to Server1's DNS server. It will not ensure that all the member servers in the domain perform DNSSEC validation for the fabrikam.com namespace.

B. On each member server, run the Add-DnsServerTrustAnchor cmdlet. This answer choice is incorrect because running the Add-DnsServerTrustAnchor cmdlet on each member server is not the best way to ensure that all member servers perform DNSSEC validation for the fabrikam.com namespace. It is not a scalable solution, and it requires manual intervention on each member server.

C. From a Group Policy Object (GPO), add a rule to the Name Resolution Policy Table (NRPT). This answer choice is correct. The NRPT is a table that contains rules for DNS name resolution. By adding a rule to the NRPT using a GPO, you can ensure that all member servers in the domain perform DNSSEC validation for the fabrikam.com namespace. To do this, you can follow these steps:

Open the Group Policy Management console.
Create a new GPO or select an existing one.
Navigate to Computer Configuration > Policies > Windows Settings > Name Resolution Policy.
Right-click on Name Resolution Policy and select New Rule.
In the New Name Resolution Policy Rule wizard, select DNS Security Extensions (DNSSEC) as the rule type and click Next.
In the DNS Server Search Order section, add the DNS server that hosts the fabrikam.com zone (Server1) and click Next.
In the DNS Domain Name section, enter fabrikam.com as the domain name and click Next.
In the Action section, select Require DNS clients to check if the name is signed and click Next.
Review the summary and click Finish.

After you apply the GPO to the domain, all member servers will perform DNSSEC validation for the fabrikam.com namespace.

D. From a Group Policy Object (GPO), modify the Network List Manager policies. This answer choice is incorrect because modifying the Network List Manager policies will not help you ensure that all member servers in the domain perform DNSSEC validation for the fabrikam.com namespace. The Network List Manager policies control settings related to network location awareness, such as firewall rules and network discovery options.

Prev Question Next Question