ITNW - Chapter 01 (2/2)
You are the DNS manager for the eastsim.com domain. You have set up a website for your intranet that holds company information for use by the employees. Employees access the website using the URL intraweb.eastsim.com. Because of the large number of employees, you decide to configure three different web servers that will hold the intranet content. When users enter the URl in their browsers, you want to use the DNS server to respond with the IP address of one of the three servers. The DNS server should evenly use each of the three web server addresses. What should you do? (Select two. Each choice is a required part of the solution.)
- Configure three different host (A) records for intraweb.eastsim.com, with each pointing to a different server. - On the DNS server, enable DNS Round Robin.
A client's primary DNS suffix is east.corpsim.com. The client is also configured with a DNS suffix search list containing west.corpsim.com and ny.east.corpsim.com. Which FQDNs will be included in DNS queries when DNS devolution is used by the client to resolve a single-label name of srv42? (Select two.)
- srv42.east.corpsim.com - srv42.corpsim.com
You are the administrator for the corp.westsim.com domain. The network has two child domains, acct.corp.westsim.com and sales.corp.westsim.com. You need to configure DNS name resolution properties on the srv2.sales.corp.westsim.com server. You decide to change the network interface's TCP/IP settings to do this. When an unqualified name is submitted for name resolution, you want the server to search using the following suffixes: • sales.corp.westsim.com • acct.corp.westsim.com • corp.westsim.com • westsim.com What should you do?
Click Advanced and from the DNS tab, configure custom search suffixes of sales.corp.westsim.com, acct.corp.westsim.com, corp.westsim.com, and westsim.com.
You are the network administrator for corpnet.com. The company has three domains named corpnet.com, east.corpnet.com, and west.corpnet.com. The DNS servers in each domain are only authoritative for the zones for their domains and are all member servers. You sign the corpnet.com DNS zone with DNSSEC. You need to enable the DNS servers that are not authoritative for the corpnet.com zone to perform DNSSEC validation of DNS responses for the corpnet.com zone. What should you do?
Distribute a Trust Anchor to all DNS servers that are not authoritative for the corpnet.com zone.
The image shows the current scavenging settings for the eastsim.com domain. Host (A) records within the zone are configured to refresh themselves every 7 days. You notice that sometimes a host record will be removed from the database, even though the host still exists on the network. You need to make sure that records are only removed when the host no longer exists. What should you do?
Increase the refresh interval setting.
You enter the ipconfig /all command and see the information shown in the image below. If you enter the nslookup command on this same system, which of the following do you expect to see as the address of the default server?
163.128.80.93
Match each DNS policy type on the left with its description and associated PowerShell command on the right.
- This type of policy specifies how incoming resolution queries are handled by a DNS server: Query Resolution Policies - This type of policy controls how the DNS server performs recursion for a query: Recursion Policies - This type of policy controls whether a zone transfer is allowed or not: Zone Transfer Policies - Add-DnsServerQueryResolutionPolicy: Query Resolution Policies - Add-DnsServerZoneTransferPolicy: Zone Transfer Policies - Add-DnsServerRecursionScope: Recursion Policies - Query, Recursion, Zone, Query, Zone, Recursion
Match each statistic on the right with the section in the output of the Get-DnsServerStatistics cmdlet where it can be found on the left. Each section may be used once, more than once, or not at all.
- Total number of dynamic update requests received: Zone Update Statistics - Number of queries for A records not responded to: Zone Query Statistics - Number of queries for CNAME records received: Zone Query Statistics - Total number of zone transfer requests sent as a secondary server: Transfer - Total number of dynamic updates rejected: Zone Update Statistics - Update, Query, Query, Transfer, Update
The image shows the current scavenging settings for the eastsim.com domain. As you check records in the zone, you find several records that have not been updated for 16 days or longer. You need to make sure that records are automatically removed if they have not been updated in the last 14 days. What should you do?
Enable automatic scavenging on the zone.
After reconfiguring the static address of an internal web server named WEB3, your client computer can no longer connect to WEB3. However, other users are still able to connect to the same web server. You suspect that your computer still has the old IP address for WEB3 in its DNS cache. Which command can you use to verify that this is the case before clearing the DNS cache on your computer?
Ipconfig /displaydns
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. The westsim.com organization has one main office with a single subnet. There are two application servers located in the main office that host a custom web application. They are named APP1 and APP2. You have been instructed to ensure that APP1 and APP2 each service about half the clients who need access to the custom web application using the minimum amount of administrative effort. You create two CNAME records linking the customapp.westsim.com Fully Qualified Domain Name (FQDN) to each of the servers. What should you do?
Enable Round Robin on the DNS server.
You administer the DNS and DHCp servers on your network. The network has just added a new subnet. The subnet is represented as a new domain in DNS named acct.istp.private. The subnet uses address 192.168.16.0/24. All servers on the subnet run Windows 2016 and all clients run Windows 10. The new subnet will use existing DNS and DHCP servers on another subnet. You need to configure DNS to support the new subnet. You configure a delegation to the new domain from its parent and create a primary zone for the new domain. You also create a primary reverse lookup zone for the subnet address. When you check the DNS database, you find that there are no A or PTR records for hosts on the subnet. At a client computer, you run the ipconfig /registerdns command. However, the corresponding DNS records are still not created. What should you do?
Enable dynamic updates on the acct.istp.private and the reverse lookup zone for the subnet.
You manage the DNS servers for the eastsim.com domain. You have a domain controller named DNS1 running Windows Server 2016 that holds a standard primary zone for the eastsim.com zone. You would like to configure DNS1 to use forwarders for all unknown zones. You edit the DNS server properties for DNS1. On the forwarders tab, you find that the Use root hints if no forwarders are available option is disabled. You also find that you are unable to edit the forwarders list. What should you do?
Enable recursion on DNS1.
You are the network administrator for a single domain with three subnets. Two subnets have all Windows 10 computers. The conference room uses the third subnet. Traveling salesman come to the conference room and plug in their laptops to gain network access. You have configured a DHCP server to deliver configuration information to hosts on this subnet. DNS is configured for dynamic updates. Over time, you notice that the size of the DNS database continues to grow. It is beginning to have an adverse effect on DNS server performance. What should you do?
Enable scavenging of stale resource records on the zone.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016. All of the clients run Windows 10. There are two main sites, one in New York and one in Los Angeles. All of the computers in the New York site are configured with IP addresses in the 10.0.0.0/24 subnet. All of the computers in the Los Angeles site are configured with IP addresses in the 172.16.0.0/24 subnet. There is an application server located in New York named APP1 with an IP address of 10.0.0.10. There is a replica application server located in Los Angeles that is also named APP2. It has an IP address of 172.16.0.10. Users must access the application using a URL of http://customapp.eastsim.com. You create two CNAME records for customapp.eastsim.com that link to each of the two application servers. You need to ensure that users in each office will be referred to the local server when accessing the applications using this URL. What should you do?
Enable the Netmask Ordering option on the DNS server.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016 Standard edition. All of the clients run WIndows 10. A domain controller named DC1 functions as a DNS server that hosts a standard primary zone, eastsim.com. All of the other domain controllers host standard secondary zones for eastsim.com. A new corporate directive requires that all DNS communication be secure. The DNS records must be cryptographically assigned by the DNS server so that clients can validate that the DNS server responses are authentic and have not been subject to tampering. You must configure the DNS to comply with the new policy. What should you do?
Implement DNS Security Extensions (DNSSEC).
You are the network administrator for corpnet.com. A new corporate policy requires that DNSSEC be implemented on the corpnet.com zone. A server named DNS1 is authoritative for the corpnet.com zone. You sign the corpnet.com zone and distribute trust anchors to all non-authoritative DNS servers that will perform DNSSEC validation of data from the zone. You need to prepare the clients to perform DNSSEC validation for the corpnet.com. What should you do?
In Group Policy, configure a Name Resolution Policy.
You are responsible for managing a Windows Server 2016 system named DNS1 that functions as a DNS server. One of the domains owned by your organization is westsim.com, which is not integrated with Active Directory. Your DNS server is authoritative for this zone. Two other DNS servers in your organization named DNS2 and DNS3 contain a copy of the zone data in a multi-master configuration. You want to use DNSSEC to digitally sign zone data. You want to use DNS1 as the Key Master for DNSSEC. What should you do?
In the DNS manager, right-click the westsim.com zone and click DNSSEC > Sign the Zone.
A user reports that they can't browse to a specific website on the internet. From their computer, you find that a ping test to the web server succeeds. A traceroute test shows 17 hops to the destination web server. What is the most likely cause of the problem?
Incorrect DNS server address
You are the network administrator for your company's network. Your network consists of eight Windows Server 2016 computers, 500 Windows 10 client computers, and five UNIX servers. One of your Windows Server 2016 computers is your DNS server. The DNS zone is configured as an Active Directory-integrated zone. The DNS zone is also configured to allow dynamic updates. Users report that although they can access the Windows 10 computers by host name, they cannot access the UNIX servers by host name. What should you do?
Manually enter A (host) records for the UNIX servers in the zone database.
You configure the IP address and DNS name of a new internal web server named WEB3. Your first test from a web browser on your workstation was successful. But when you came to work this morning, you were not able access WEB3 from the same client computer using the same browser. You get an error message stating that this site cannot be reached. You have not changed the server's IP configuration since the successful test the night before. You ping WEB3 using its IP address, and you get a response back. Next, you ping WEB3 using its fully qualified domain name (FQDN), and you get a message indicating that the host could not be found. What can you assume from this message?
Name resolution is not working properly.
You are the DNS manager for the southsim.com domain. You want to configure your single DNS server so that it never uses forwarders for name resolution. What should you do?
On the DNS server, disable recursion.
You are the DNS manager for the eastsim.com domain. You have a domain controller named DC1 that holds an Active Directory-integrated zone for the eastsim.com zone. Users have complained about multiple DNS name resolution errors. You have examined the configuration, but can't see anything wrong. To help identify the problem, you would like to track the DNS packets sent and received by the server. You would also like to filter by IP address. What should you do?
On the DNS server, enable debug logging.
You manage the DNS servers that are authoritative for the private.westsim.com zone. Two servers are authoritative for the zone. DNS1 hosts the primary DNS zone, and DNS2 holds a secondary copy of the zone. You have just manually created an A resource record for the new web server on your network that is configured with a static IP address. From a client computer, you open a browser and try to connect to the new web server. You get an error message stating that the web site is not found. You run ipconfig /all and find that the client is correctly configured to use the DNS1 server as its preferred DNS server. But, as you continue to troubleshoot the problem, you discover that you incorrectly typed the server's IP address while creating its A resource record. You correct the IP address in the A record and retry connecting to the website. However, you get the same error on your workstation. What should you do?
On the client computer, run ipconfig /flushdns.
You configure the IP address and DNS name of a new internal web server named WEB3. Your first test from a web browser on your workstation was successful. But when you came to work this morning, you were not able access WEB3 from the same client computer using the same browser. You get an error message stating that this site cannot be reached. You have not changed the server's IP configuration since the successful test the night before. Which troubleshooting step should you try first to discover what the problem might be?
Ping WEB3 using its IP address.
Which utility is used to create and configure DNS policies?
PowerShell
Which type of DNS policy allows DNS Servers to resolve a hostname to an IP address based on the geographical location of both the client and the host?
Query Resolution Policy
What is the first action that a DNS client will take when attempting to resolve a single-label name to an IP address?
Query a DNS server for a host name formed by appending the client's primary DNS to the single-label name.
The image shows the current scavenging settings for the eastsim.com zone. Automatic scavenging has been configured on the zone to run every hour. You want to modify the existing settings so that DNS records are deleted within 10 days after they have not been refreshed. What should you do?
Set the refresh interval to 3.
You are the network administrator for northsim.com. The network consists of a single Active Directory domain. ALl the servers run Windows Server 2016. All the clients run Windows 10. The northsim.com netowkr has one main office with 1,500 users. There are two domain controllers called DC1 and DC2, as well as several file servers and an application server. DC1 hosts a standard primary zone for the northsim.com domain. DC2 hosts a standard secondary zone for the northsim.com domain. A new corporate security policy requires that all clients perform Secure Dynamic Updates to DNS records. You open the properties of the northsim.com forward lookup zone. The Secure Only option is missing from the Dynamic Updates drop-down combo box. You must ensure that all updates to the northsim.com DNS domain are secure. What should you do?
You should convert the northsim.com zone to an Active Directory-integrated zone.
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016. All of the clients run Windows 10. Clients routinely access a web application on a server named web1.westsim.com. During the course of the business day, you receive complaints that users attempting to access web1.westsim.com were directed to an unknown IP address on the Internet. They accessed a website that looked similar to the web application on web1.westsim.com, but were provided no functionality. After researching the internet IP address, you find that it belongs to a group of attackers suspected of hacking into company websites. You determine that the compromise occurred because of DNS cache poisoning. To protect the server, you need to ensure that cache records on the DNS server cannot be overwritten until the Time to Live (TTL) period has expired. What should you do?
You should implement the DNS Cache Locking feature.
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. The company has one main office. There is one server named DNS1 and the DNS Server role installed. A new company security directive states that servers should not use port 49308. All other port ranges are acceptable and should not be excluded. You need to configure DNS1 to adhere to the new security requirement without any loss of DNS functionality. What should you do?
You should set the SocketPoolExcludedPortRanges setting in the registry on the DNS servers to 49308-49308.