Quizzes
You want to get information about DNSKEY record behaviors on your Windows Server 2016 DNS server and your zone pearson.com. You use the following PowerShell command: $stat = Get-DnsServerStatistics -ZoneName pearson.com. Now you must use the correct command to get that information you need. Which command do you use? A $stat.ZoneQueryStatistics B $stat.ZoneUpdateStatistics C $stat.ZoneTransferStatistics D $stat.RRLStatistics
$stat.ZoneQueryStatistics
You want to enable DNSSEC verification for your Windows Server 2016 DNS server. Which setting or command can you use? A Advanced tab of DNS server properties B (Get-DnsServer).DNSSetting.EnableDnsSec C Get-DnsServerDnsSecZoneSetting D DnsCmd.exe <servername> /Config /enableDNSSEC 2
(Get-DnsServer).DNSSetting.EnableDnsSec
You centrally manage your DNS and DHCP servers with Windows Server 2016 IPAM server. You want to delegate administration for DNS and DHCP using role-based access control (RBAC). You have created the access roles named IPAMZoneAdmins, IPAMIPAddressAdmins, IPAMScopeAdmins, and IPAMRRAdmins. You need to create the necessary access scopes before using them to create access policies.Which PowerShell command will not run? A $zone = Get-IpamDnsZone -ZoneType Forward -ZoneName pearson.com, Set-IpamAccess Scope -IpamDnsZone -InputObject $zone -AccessScopePath \Global\USA -PassThru B $ip = Get-IpamAddress -IPAddress 10.12.1.1, Set-IpamAccessScope -IpamIPNumber -InputObject $ip -AccessScopePath \Global\USA -PassThru C $scope = Get-IpamDhcpScope -AddressFamily "Ipv4" -ScopeID 10.0.0.0, Set-IpamAccess Scope -IpamDhcpScope -InputObject $scope -AccessScopePath \Global\USA -PassThru D $record = Get-IpamDnsResourceRecord -ZoneName pearson.com -RecordName "PearsonServer" -RecordType A, Set-IpamAccessScope -IpamDnsResourceRecord -InputObject $record -AccessScopePath \Global\USA -PassThru
$ip = Get-IpamAddress -IPAddress 10.12.1.1, Set-IpamAccessScope -IpamIPNumber -InputObject $ip -AccessScopePath \Global\USA -PassThru
You verify the DNS server settings. You control the socket pool size value with the PowerShell commands $dns = get-dnsserver and $dns.ServerSetting.SocketPoolSize. You notice a socket pool size value of 7500. You want to reconfigure that to the default settings. Which socket pool size should you choose? A 3500 B 2500 C 3000 D 2000
2500
You have added some SRV records to your zone pearson.com. You use DANE to protect these SRV records. Developers are running tests with a new LOB application, which is dependent on DANE SRV records. They have used a DNS library that addresses DNS queries and TLSA queries in parallel to reduce the wait time for end users using that application. Which two statements are correct? A An SRV record can be ignored if the TLSA record on which it depends is not secure. B A TLSA record can be ignored if the SRV record on which it depends is not secure. C When using TLSA records with SRV records, at least one TLSA record should be published that authenticates the server's certificate. D When using TLSA records with SRV records, no TLSA record should be published that authenticates the server's certificate.
A TLSA record can be ignored if the SRV record on which it depends is not secure. When using TLSA records with SRV records, at least one TLSA record should be published that authenticates the server's certificate.
You have less DNS zone security after you have used the ConvertTo-DnsServerPrimaryZone PowerShell cmdlet to convert an AD-integrated zone to a file-based DNS zone. Which statement about file-based DNS zones is not correct? A A file-based DNS zone can use the secure dynamic update feature. B A file-based DNS zone cannot use DNSSEC. C Records in a file-based DNS zone have fewer security settings. D File-based DNS zones data can be protected with NTFS.
A file-based DNS zone can use the secure dynamic update feature.
You want to allow DNS queries only from clients from the subnet AllowedNET (172.16.0.0/16). You create a DNS server query resolution policy with the following command: Add-DnsServer QueryResolutionPolicy -Name "AllowSubnetPolicy"-Action IGNORE -ClientSubnet "NE, AllowedNET" -PassThru. However, clients from all subnets still successfully can send queries to your DNS server. What additional PowerShell cmdlet should you use to solve that problem? A Add-DnsServerClientSubnet B Remove-DnsServerClientSubnet C Add-DnsServerResourceRecord D Add-DnsServerZoneScope
Add-DnsServerClientSubnet
You have a forest environment with the following domains: pearson.com, eu.pearson.com, usa.pearson.com, pearsonucertify.com, eu.pearsonucertify.com, and usa.pearsonucertify.com. Every domain has two domain controllers with AD-integrated DNS servers. Each DNS server is authoritative for the name resolution in its own domain. You plan to implement additional DNS servers in usa.pearsonucertify.com. DNS servers in usa.pearson.com must automatically know about the new DNS servers in usa.pearsonucertify.com. Which of the following is the best solution to accomplish this? A Conditional forwarding on DNS servers inusa.pearson.com B File-based stub zone on DNS servers in usa.pearson.com C AD-integrated stub zone on DNS servers in usa.pearson.com D Secondary zone usa.pearsonucertify.com on DNS servers in usa.pearson.com
AD-integrated stub zone on DNS servers in usa.pearson.com
Which DNS zone type uses RPC network traffic for replication of DNS data? A Primary zone type B Secondary zone type C AD-integrated zone type D Stub zone type
AD-integrated zone type
You are responsible for the domain pearson.com. You don't use hardware solutions to safeguard cryptographic keys. You have three domain controllers with the DNS server role installed: DC1, DC2, and DC3 (RODC). The DNSSEC key master DC1 for the file-based zone pearson.com goes offline. You try to transfer the DNSSEC key master role from DC1 to DC2. You get the following message: "The DNS server DC1.pearson.com is the Key Master, Status: Inactive." DC1 cannot be recovered. You want to seize the key master role to DC2. You not want to redistribute trust anchors. From which location can DC2 get private key data for the zone? A Certificate B Active Directory on DC2 C Active Directory on DC3 D HSM
Active Directory on DC2
You are in the process of provisioning your first Windows Server 2016 IPAM server through the IPAM configuration console. You add the following servers as managed servers: DHCP1, DHCP2, DHCP3, DNS1, DNS2, and DNS3. After 15 minutes, DHCP2 is still displayed with an IPAM access status of Blocked. You want to force DHCP2 to display an access status of Unblocked. Which configuration should you use?This task contains the radio buttons and checkboxes for options. A Perform gpupdate /force on DHCP2 again. In the IPAM configuration console, refresh the server access status for DHCP2. B Add DHCP2 to the security filtering list of the IPAM_DHCP Group Policy and perform gpupdate /force on DHCP2 again. In the IPAM configuration console, refresh the server access status for DHCP2. C Add DHCP2 to the security filtering list of the IPAM_DC_NPS Group Policy and perform gpupdate /force on DHCP2 again. In the IPAM configuration console, refresh the server access status for DHCP2. D In the IPAM configuration console, refresh the server access status for DHCP2.
Add DHCP2 to the security filtering list of the IPAM_DHCP Group Policy and perform gpupdate /force on DHCP2 again. In the IPAM configuration console, refresh the server access status for DHCP2.
You want to stage a Windows Server 2016 DNSSEC deployment with Windows 10 clients. You have only writeable domain controllers and Windows Servers. You know about the 10 DNSSEC deployment steps. Which of the following two deployment steps are wrong? A Choose a zone B Choose a key master C Choose methods and settings D Sign the zone E Verify zone signing F Add DLV records G Choose DNS clients H Deploy trust anchors I Configure BIND J Configure and deploy name resolution policy Verify name resolution policy Monitor and manage
Add DLV records Configure BIND
You have some static A resource records on the DNSSEC-signed zone pearson.com on your Windows Server 2016 DNS server. You have enabled automatic scavenging with default settings. You notice that existing static A records are not removed through the automatic scavenge process; you must manually remove them. In the future, you want static A records to be removed through automatic scavenging. Which of the following is the best solution to accomplish this? A Dnscmd <ServerName> /StartScavenging B Add new static A records through the DNS manager C Add-DNSServerResourceRecordA D Unsign zone pearson.com
Add-DNSServerResourceRecordA
Subnets 172.16.3.0/24 and 172.16.6.0/24 are identified as being infected with malware. You want to block name resolution through DNS server policy. Which PowerShell cmdlet should you use to accomplish this? A Add-DnsServerQuery ResolutionPolicy -Name MalwarePolicy -Action DENY -ClientSubnet 'EQ, CHSubnet1' -Disable $false B Add-DnsServerQuery ResolutionPolicy -Name MalwarePolicy -Action DENY -ClientSubnet 'EQ, NYSubnet2' -Disable $false C Add-DnsServerQuery ResolutionPolicy -Name MalwarePolicy -Action IGNORE -ClientSubnet 'EQ, CHSubnet1' -Disable $false D Set-DnsServerQuery ResolutionPolicy -Name NYPolicy -Action IGNORE -ClientSubnet 'EQ, NYSubnet2' -Disable $true
Add-DnsServerQuery ResolutionPolicy -Name MalwarePolicy -Action IGNORE -ClientSubnet 'EQ, CHSubnet1' -Disable $false
You want to change the TTL value of record SRV1 in the zone pearson.com to 4 hours. Which PowerShell command is not a working solution to accomplish this task? A Get-DnsServerResourceRecord B [System.TimeSpan]::FromHours(4) C Set-DnsServerResourceRecord D Add-DnsServerResourceRecord
Add-DnsServerResourceRecord
You have a DNS server named DNS1 (10.0.0.10) with an AD-integrated DNS zone for pearson.com, and you have configured three secondary DNS servers named DNS2 (10.0.0.49), DNS3 (10.0.0.50), and DNS4 (10.0.0.51) as secondary DNS servers. You want to restrict zone transfer from DNS1 only to DNS3 through DNS server zone transfer policies. Which command can you use? A Add-DnsServerZoneTransferPolicy -Name "IntTransfer" -Action IGNORE -ServerInterfaceIP "ne,10.0.0.10" -PassThru -ZoneName "pearson.com" B Add-DnsServerZoneTransferPolicy -Name "IntTransfer" -Action IGNORE -ServerInterfaceIP "ne,10.0.0.50" -PassThru -ZoneName "pearson.com" C Add-DnsServerZoneTransferPolicy -Name "IntTransfer" -Action ALLOW -ServerInterfaceIP "ne,10.0.0.49" -PassThru -ZoneName "pearson.com" D Add-DnsServerZoneTransferPolicy -Name "IntTransfer" -Action ALLOW -ServerInterfaceIP "ne,10.0.0.51" -PassThru -ZoneName "pearson.com"
Add-DnsServerZoneTransferPolicy -Name "IntTransfer" -Action IGNORE -ServerInterfaceIP "ne,10.0.0.50" -PassThru -ZoneName "pearson.com"
Your environment consists of one domain named pearson.com and two sites named HQ and Branch (a physically unsecure location). A firewall secures the network traffic between both sites. The HQ site consists of two domain controllers, named DC1 and DC2, with the DNS server role installed. The zone pearson.com is a signed AD-integrated zone. You install a new Windows Server 2016 RODC at the Branch site. After you do so, you find that the DNS server on that RODC does not have the pearson.com zone. Which configuration should you perform so that the DNS server on the RODC can work as a DNS server for DNS clients at the Branch site? A Make sure your firewall isn't blocking UDP DNS replies that are larger than 512 bytes. B Allow zone transfer with Set-DnsServerPrimaryZone. C Install an additional writeable domain controller at the Branch site. D Install an additional RODC at the Branch site.
Allow zone transfer with Set-DnsServerPrimaryZone.
You want to synchronize DNS zone data and root hint data for a zone to the persistent storage of a Windows Server 2016 Nano Server DNS server. Which PowerShell command can you use for that? A Start-DnsServerZoneTransfer B Sync-DnsServerZone C Add-DnsServerZoneTransferPolicy D Set-DnsServerZoneTransferPolicy
Sync-DnsServerZone
You plan to roll over a DNSSEC KSK that is waiting for a parent DS update. You manually have updated the DS record in the parent zone. Now you want to force the rollover. Which PowerShell cmdlet can you use? A Invoke-DnsServerSigningKeyRollover B Step-DnsServerSigningKeyRollover C Enable-DnsServerSigningKeyRollover D Grant-HgsKeyProtectorAccess
Step-DnsServerSigningKeyRollover
You want to migrate your Windows Server 2016 IPAM database from a local Microsoft SQL Server 2014 to an external Microsoft SQL Server 2016. You have different collations. Which command should you use to start the configuration? A Move-IpamDatabase B Set-IpamDatabase C CREATE LOGIN D CREATE DATABASE
CREATE LOGIN
You use an ISATAP router to allow network connections between your IPv4 network and your IPv6 network through an ISATAP tunnel. Which DNS server configuration do you need on your DNS server in the IPv4 network? A Configure SRV Record B Configure DNSSEC C Configure GlobalQueryBlockList D Configure Round Robin
Configure GlobalQueryBlockList
You are managing a Windows Server 2008 R2 domain named pearson.com (productive domain). All domain controllers are Windows Server 2008 R2 with a DNS server role and AD-integrated DNS zones. You want to perform a step-by-step migration from this existing domain to a newly created empty forest root domain (future domain) with the same domain name. You have installed the Windows Server 2016 forest root domain controller of the future domain (including DNS server role with the AD-integrated zone pearson.com). You want to migrate all DNS zone data from the zone pearson.com (productive domain) to the forest root DNS server (future domain) so that this DNS server is authoritative for that zone and DNS data is saved in the Active Directory of the future domain. This has to be done with the least administrative effort. Which configuration steps are the best option? A Create a forest trust between the productive and future domain. Replicate DNS data through Active Directory. B Create a stub zone on the DNS server of the future domain. Convert the stub zone to primary. (Store the zone in Active Directory.) C Activate a zone transfer on the DNS server of the productive domain for pearson.com. Configure the DNS server in the future domain as the secondary DNS server. D Convert the zone type of pearson.com from AD-integrated to primary without Active Directory. Copy the zone file to the %systemroot% \system32\dns folder of the DNS server of the future domain. Create a new primary zone on that DNS server and select Use This Existing File. Change the zone type to primary. (Store the zone in Active Directory.)
Convert the zone type of pearson.com from AD-integrated to primary without Active Directory. Copy the zone file to the %systemroot% \system32\dns folder of the DNS server of the future domain. Create a new primary zone on that DNS server and select Use This Existing File. Change the zone type to primary. (Store the zone in Active Directory.)
You have a forest root domain named pearson.com. You have to create a new child domain named eu.pearson.com. You want to implement a DNS delegation from your forest root DNS servers to the eu.pearson.com DNS servers. Which configuration possibility should you use? A Add-DnsServerForwarder B Install-ADDSForest C Create DNS delegation automatically D Install-ADDSDomainController
Create DNS delegation automatically
You have two Windows Server 2016 DHCP servers named DHCP1 and DHCP2 that are managed through a Windows Server 2016 IPAM server named IPAM1. You have created an IP scope named ChicagoScope with an IP range from 172.16.0.100/24 to 172.16.0.200/24 on DHCP1. You configure a DHCP Policy named DHCPPolicyChicago on IPAM1. In the Server Policy window on IPAM1, you define DHCP Policy conditions and settings and create the DHCP policy. After that, on IPAM1, you configure DHCP failover between DHCP1 and DHCP2 in hot standby mode. After replication, ChicagoScope is present on DHCP2, but DHCPPolicy Chicago is missing in ChicagoScope on DHCP2.You must ensure that DHCPPolicyChicago can be automatically replicated successfully between DHCP1 and DHCP2. Which configuration is necessary?This task contains the radio buttons and checkboxes for options. A Create a scope policy on DHCP2. B Create a scope policy on DHCP1. C Select Import Policy on DHCP1. D Select Import Policy on DHCP2.
Create a scope policy on DHCP1.
You have two domains named pearson.com and a child domain named usa.pearson.com. The test.com zone (ADintegrated) resides on DNS1 and DNS2 (both in pearson.com). You must replicate the DNS data from test.com through AD replication only to DNS3 (usa.pearson.com). Which AD partition should you use? A DomainDNSZones B ForestDNSZones C Custom application directory partition D Configuration partition
Custom application directory partition
You think about a high-availability solution for your DHCP service. You have two virtual DHCP servers with Windows Server 2016 Datacenter running on a Windows Server 2016 Hyper-V host. The servers are in the same domain, but in different subnets. You want to implement the solution with the least amount of administrative effort and automatic failover functionality for DHCP scopes. Which solution is the best option? A Failover cluster with two nodes B DHCP failover with hot standby mode C DHCP failover with load sharing mode D Hyper-V Replica feature
DHCP failover with hot standby mode
You have configured your Windows Server 2016 DHCP server with a scope of 10.0.0.0/16 and the two scope options Option 003: 10.0.0.10 and Option 006: 10.0.0.20. Some of your DHCP clients get a DNS server of 10.0.0.100 and a default gateway of 10.0.0.200 from that DHCP server. What is a possible cause? A DHCP failover B DHCP Policy C DNS Policy D DNSSEC
DHCP Policy
You are responsible for the DNS zone named pearson.com. Some clients of the subnet named Paris cannot reach resources on your partner company pearsonucertify.com through hostnames. However, they can reach the resources through IP addresses without problems. Clients from other internal networks have no problems accessing such resources. Which network components should you verify? (Choose four.) A DHCP Policy B DNS server options C DNS server zone transfer policy settings D DNS server zone scope settings E DNS server client subnet settings F DNS server recursion policy settings
DHCP Policy DNS server zone scope settings DNS server client subnet settings DNS server recursion policy settings
You want to register domain clients of a partner company domain named also.ch on a guest DNS suffix zone in your DNS server named guests.pearson.com when they try to obtain IP address configuration from your DHCP server. Which kind of policy must you create for that? A Group Policy with Name Resolution Policy Table settings B DHCP Policy based on FQDN and operator Is Not Single Label C DHCP Policy based on FQDN and operator Is Single Label D DHCP Policy based on MAC address condition E DNS Policy with zone scope configuration F DNS Policy with recursion policy settings
DHCP Policy based on FQDN and operator Is Not Single Label
Which global DNS setting can be used as a DNS load-balancing configuration setting? A Enable DNSSEC B Enable Round Robin C Enable Cache Against Pollution D Enable BIND Secondaries
Enable Round Robin
You must configure some settings on a Windows Server 2016 Nano Server locally. Which of the following configurations can you not configure within the Nano Server Recovery Console? A Computer name B Gateway address C DNS server D IPv6 address
DNS server
You add a DNS server with the IP address of 172.16.0.20 to the server-based forwarders list on your DNS server named DNS1, which is the authoritative DNS server for pearson.com. A conditional forwarder for the zone pearsonucertify.com still exists with the same IP address for the authoritative DNS server for pearsonucertify.com. To which DNS server will DNS1 forward DNS requests? A DNS server in the forwarder list B DNS server in the conditional fowarder list
DNS server in the conditional fowarder list
You are responsible for the administration of your Windows Server 2016 DNS server, which is installed on a domain controller as an AD-integrated DNS server. Paul, a new employee, also needs full administrative rights for the DNS server. Which security group must he become a member of? A DomainAdmins B DNSAdmins C Administrators D DNSUpdateProxy
DNSAdmins
You want to add a DS record to your Windows Server 2016 DNS server. Which of the following configuration options is not a valid solution? A DNSSEC Zone Signing Wizard B DS resource record set C DNS Manager D PowerShell
DNSSEC Zone Signing Wizard
You want to get information about DNS request types and DNS query packet content. What kind of DNS logging do you need to enable to get that information? A DNS server log B Debug logging C Analytic event logging D DNS monitoring
Debug logging
You are responsible for managing your network environment. You have one domain named pearson.com and two sites named New York and Berlin. The two sites are physically connected through the Internet, and you want to use a persistent connection. You must implement an IPsec-encrypted tunnel connection between the two sites. You have a Windows Server 2016 Remote Access server named RAS1 in New York and another Windows Server 2016 Remote Access server named RAS2 in Berlin. Which components do you have to configure on both servers to implement the router-to-router VPN S2S connection? (Choose two.) A Demand-dial interface B VPN connection profile C IPHTTPS interface D Dial-out credentials E KDC Proxy
Demand-dial interface Dial-out credentials
You are a member of the DHCP Administrators security group on all your DHCP servers, and you are responsible for your Windows Server 2016 IPAM server, IPAM1. You select multiple DHCP server IPv4 scopes, and you want to know which scope options you can configure in this way. Which scope options can you configure in one step for multiple scopes through the IPAM management console in Server Manager? A Scope name B Description C Start IP address D End IP address E Subnet mask F Lease duration G Exclusion range
Description Lease duration
You are responsible for a Windows Server 2016 DNS server named DNS1 that is authoritative for the zone pearson.com. You have configured conditional forwarding to other DNS servers. None of these forwardings is working correctly. Which setting could be the cause of this problem? A Store This Conditional Forwarder in Active Directory B Disable Recursion C Use Root Hints If No Forwarders Are Available D Enable Netmask Ordering
Disable Recursion
What are two core functionalities of DANE? (Choose two.) T A Enables you to specify which CA is allowed to issue certificates for a resource B Authenticates TLS client and server entities without a Certificate Authority C Improves DNS response performance from Windows Server 2016 DNS servers D Simplifies certificate validation in a mixed IPv4/IPv6 environment
Enables you to specify which CA is allowed to issue certificates for a resource Authenticates TLS client and server entities without a Certificate Authority
You want to overwrite DNS server cache entries before the Cache TTL expires and you want to provide enhanced security against poisoning attacks. Which commands do you use? (Choose two.) A Dnscmd /config /CacheLockingPercent 90 B Dnscmd /config /CacheLockingPercent 50 C Restart-Service DNS D Dnscmd /clearcache
Dnscmd /config /CacheLockingPercent 90 Restart-Service DNS
You have one domain named pearson.com and a child domain named eu.pearson.com. You want to start with your DNSSEC chain of trust configuration. On your root Windows Server 2016 DNS server, you see in Trust Points and the root folder that no DS record exists. Which configuration can you use to install a root trust anchor using the RSA/SHA256 algorithm as the starting point of your chain of trust? (Choose two.) A Import-DnsServerTrustAnchor B Dnscmd /retrieveroottrustanchors C Add-DnsServerTrustAnchor -Root D Add-DnsServerTrustAnchor -KeyProtocol DNSSEC -CryptoAlgorithm RsaSha256
Dnscmd /retrieveroottrustanchors Add-DnsServerTrustAnchor -Root
You want to test DANE and TLSA records in your testing environment. You want to use only certificates that do not have to be signed by a valid CA. Which value should you use for the CertificateUsage parameter when you create your TLSA records with the PowerShell cmdlet Add-DnsServerRecourseRecord? A ServiceCertificateConstraint B DomainIssuedCertificates C CAConstraint D TrustAnchor Assertion
DomainIssuedCertificates
You have configured a hot standby failover partnership between two Windows Server 2016 DHCP servers named DHCP1 and DHCP2 for the IP scope Scope1, with DHCP1 as the active partner. DHCP1 is not operating, but DHCP2 is not responding to DHCP client requests. Which setting allows DHCP2 to respond to DHCP client requests if DHCP1 is not operating? A Set Maximum Client Lead Time to Zero B Enable State Switchover Interval setting C Enable AutoStateTransition setting D Change Reserve Percentage setting
Enable AutoStateTransition setting
You want to migrate the DHCP configuration (including scope configuration) of an existing Windows Server 2012 R2 DHCP server to a new Windows Server 2016 DHCP server. Which PowerShell command should you use? A Export-DhcpServer B Import-DhcpServer C Backup-DhcpServer D Restore-DhcpServer
Export-DhcpServer
You want to view the DNSSEC signing status of a reverse lookup zone from a DNS server managed through a Windows Server 2016 IPAM server. You want to monitor the signing status in the IPAM configuration console under Monitor and Manage: DNS Zones. You need to verify the reverse lookup zone signing status. Which settings or tools can you use? (Choose two.) A Get-IPAMDnsZone B IPAM Configuration Manager Event Catalog C IPAM Configuration Manager DNS and DHCP Servers: DNS Zones D DNS Manager: Reverse Lookup Zones
Get-IPAMDnsZone DNS Manager: Reverse Lookup Zones
You have established a P2S connection to your Azure VNet. You want to verify the gateway IP address through which the P2S network traffic flows. Which command can you use? A Get-AzureVNetGateway B Get-NetRoute C Get-NetIPInterface D Get-VpnConnection
Get-NetRoute
You have configured both Enable DNSSEC in This Rule and Require DNS Clients to Check That Name and Address Data Has Been Validated by the DNS Server in the Default Domain Policy of your domain pearson.com. Your DNSSEC-configured DNS is named DNS1. In the Default Domain Policy, you add a rule for sec.pearson.com with DNSSEC (Validation) = "Yes" and DNSSEC (IPsec) = "No". You want to ensure that the value for DNSSECValidationRequired is True on client1 (Windows 10). Which PowerShell command can you use? (Choose two.) A Gpupdate /force B Resolve-dnsname dc1.sec.pearson.com -server dns1 -DNSSECok C Get-dnsclientnrptpolicy D Resolve-dnsname -name sec.pearson.com -type dnskey -server dns1 -DNSSECok
Gpupdate /force Get-dnsclientnrptpolicy
Under which identity is the ipamprovisioning.ps1 PowerShell script running during the deployment of a Windows Server 2016 IPAM server so that this script can correctly prepare managed DHCP servers? A EventLogReader B Administrators C IPAMUG D Domain Administrators
IPAMUG
You are responsible for managing your DNS environment. You have a UNIX BIND DNS server named BIND1 that is the master authoritative server for the zone pearson.com with TSIG protection enabled. You want to use a Windows Server 2016 DNS server named SEC1 as the secondary DNS server for this zone. You want to use an additional layer of security for zone transfer between BIND1 and SEC1. Which technology enables you to accomplish this? A TSIG B IPsec C HMAC-MD5 D GSS-TSIG
IPsec
You have two domain controllers with an AD-integrated DNS server, named DNS1 and DNS2, in the forest root domain pearson.com. You also have one domain controller with an AD-integrated DNS server named DNS3 in the child domain usa.pearson.com. Now you set up an additional domain controller DNS4 at usa.pearson.com. You use the Active Directory Installation Wizard to promote DNS4 to a domain controller. On the DNS Options page, you notice the yellow note on the top of that page: "A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found." You need a solution with the least administrative effort. What is your next configuration step? A Cancel the Active Directory Installation Wizard and set up the domain controller with PowerShell. B Ignore the note and go forward with the Active Directory Installation Wizard. C Restart DNS3 and repeat all steps in the Active Directory Installation Wizard. D Ensure that DNS4 has a network connection to DNS1 or DNS2 and repeat all steps in the Active Directory Installation Wizard.
Ignore the note and go forward with the Active Directory Installation Wizard.
Your company consists of one domain with two sites named Paris and Chicago. Subnet1 (10.10.0.0/16) resides in Paris; Subnet2 (192.168.2.0/24) resides in Chicago. You have installed a Windows Server 2016 DHCP server named DHCP1 in Subnet1. Clients from Subnet2 have problems getting IP addresses from DHCP1. A router between Paris and Chicago does not support the RFC 1541 standard. It is not possible to install a DHCP server in Subnet2. What is the best solution to resolve this issue?This task contains the radio buttons and checkboxes for options. A Install a second DHCP server in Subnet1 B Install and configure a DHCP relay agent in Paris C Install and configure a DHCP relay agent in Chicago D Install a DHCP relay agent in Paris and a DHCP relay agent in Chicago
Install and configure a DHCP relay agent in Chicago
You want to update your DNSSEC implementation. Which of the following is the proper procedure if you plan to deploy a new planned certificate chain related to DANE and TLSA records? A Leave the existing TLSA records and publish TLSA records that match the planned certificate chain. After deploying the planned certificate chain, remove the old TLSA records. B Remove the current TLSA records. Publish the TLSA records that match the planned certificate chain. C Publish the TLSA records that match the planned certificate chain and overwrite the current TLSA records with the settings of the new TLSA records. D Publish the TLSA records that match the planned certificate chain. Edit the existing TLSA records.
Leave the existing TLSA records and publish TLSA records that match the planned certificate chain. After deploying the planned certificate chain, remove the old TLSA records.
You want to integrate your IPAM server into System Center Virtual Machine Manager. Which component do you need to add in SCVMM? After that, you must configure an SCVMM IP address pool in IPAM. Which component do you need to add in SCVMM?Component to add in SCVMM:This task contains the radio buttons and checkboxes for options. A Microsoft Windows Server Gateway B Microsoft Windows Server IP Address Management
Microsoft Windows Server IP Address Management
You want to produce a statement if you try to find a record that does not appear on your Windows Server 2016 DNS server. You also want to use hashing security for existing hosts. Which kinds of resource records do you need? (Choose two.) A DNSKEY B RRSIG C NSEC D NSEC3 E NSEC3PARAM
NSEC3 NSEC3PARAM
You use a DHCP server to automatically register client resource records on a DNS server. Which feature should you enable on your DHCP server to protect your environment from name squatting attacks? A DHCP server policies B DNS Policies C Name Protection D DNSSEC
Name Protection
You have configured your Windows 10 laptops as DirectAccess clients. Your employee starts his laptop at the airport and will remain there while waiting for a flight. He will use the airport's WLAN connection to connect through a Windows Server 2016 Direct Access Server (Azure VM) to Azure VNet resources. Which source delivers the DNS server resolving internal hostnames? A Airport DHCP server B Company DHCP server C TCP/IP settings of network interface D Name Resolution Policy Table
Name Resolution Policy Table
You want to maximize performance for your new DNS server. Which command should you use to start the deployment? A Install-WindowsFeature B New-NanoServerImage C Add-WindowsFeature D New-Container
New-NanoServerImage
You have three web servers deployed on your DMZ. You also use Exchange Server 2016. All your servers are Windows Server 2016 servers. They are reachable from the Internet and are secured through SSL certificates delivered from a public CA. You want to prevent your environment against man-in-the-middle attacks. Which kinds of records should you use if you want to add certificate validation to your solution? (Choose two.) A RRSIG B DNSKEY C TLSA D DS records
RRSIG TLSA
You have a domain named pearson.com and two domain controllers with the DNS server role installed (DC1 and DC2). The zone pearson.com is a signed AD-integrated zone. You have installed a new Azure virtual machine DC3 as an additional domain controller. Your company site is connected through an Azure S2S tunnel to Azure. You successfully have tested AD replication for all domain controllers. You want to transfer the key master role from DC1 to DC3 and you want to get confirmation messages. Which tools or commands can you use? A On DC3, select Use the Following DNS Server as the Key Master on DC3 and then choose DC3 as the new key master. B On DC1, select Use the Following DNS Server as the Key Master on DC3 and then choose DC3 as the new key master. C On DC3, use Reset-DnsServerZoneKeyMasterRole -SeizeRole. D On DC3, use Reset-DnsServerZoneKeyMasterRole -Force.
On DC3, select Use the Following DNS Server as the Key Master on DC3 and then choose DC3 as the new key master.
You have a domain named pearson.com with two sites named Chicago and Denver. You also have a Windows Server 2016 IPAM server named IPAM1 that centrally manages all DNS and DHCP servers. Visitor devices must be automatically registered in visitors.pearson.com. The zone is created as an AD-integrated DNS zone with a forest-wide replication scope. You have four DHCP servers: DHCP1 and DHCP2 (Chicago), and DHCP3 and DHCP4 (Denver). You want to configure (with least administrative effort) visitor devices to be automatically registered in visitors.pearson.com with their IP address and hostname. You want to apply the configuration only to the following scopes: Scope2 (DHCP2): 10.10.0.0/24; Scope4 (DHCP4): 172.16.0.0/16. Which configuration is a valid solution for this scenario? A On IPAM1, configure a DHCP Policy for DHCP2 with the Register DHCP Clients Using a Different DNS Suffix setting enabled, and use the DHCP failover feature to replicate the policy to DHCP4. B On DHCP1, create a DHCP Policy with the Register DHCP Clients Using a Different DNS Suffix setting enabled, and use the DHCP failover feature to replicate the policy to DHCP4. C On IPAM1, create a DHCP Policy for DHCP2 with the Register DHCP Clients Using a Different DNS Suffix setting enabled, and import this DHCP Policy into DHCP4. D On IPAM1, select Scope2 and Scope4, and use Configure DHCP Policy. Enable the Register DHCP Clients Using a Different DNS Suffix setting and create the DHCP Policy.
On IPAM1, create a DHCP Policy for DHCP2 with the Register DHCP Clients Using a Different DNS Suffix setting enabled, and import this DHCP Policy into DHCP4.
Your environment consists of one parent domain named pearson.com and two child domains named usa.pearson.com and eu.pearson.com. You must plan the DNSSEC chain of trust, including delegations. Which statement is correct? A One DS trust anchor is installed for the child zone. B One DS trust anchor is installed for the parent zone. C One trust anchor is installed for every zone that a caching DNS server can validate. D Two trust anchors are installed for the parent zone.
One DS trust anchor is installed for the parent zone.
You have set up a Windows Server 2016 WDS server that includes the DHCP server role on the server wds.pearson.com. You have configured your DHCP scope with the PowerShell cmdlet Add-DhcpServerv4OptionDefinition using the necessary DHCP scope options for clients. Which scope option do you also need to configure that requires using a different command? A Option 59 B Option 60 C Option 66 D Option 67
Option 60
You want to add a TLSA record with the Add-DnsServerResourceRecord PowerShell cmdlet. You are asked for a value for the CertificateAssociationData parameter. Which value can you use for that parameter? A Public key of the certificate B Thumbprint of the certificate C PEM format X.509 certificate data D Serial number of the certificate
PEM format X.509 certificate data
You have a Windows Server 2016 DHCP server named DHCP1 and one Windows Server 2012 R2 NAP server named NAP1. You have the following Windows Server 2016 Nano Servers: N01 N02 N03 N04 All Nano Servers must get their IP addresses through DHCP reservations from DHCP1. You look into the DHCP log file on DHCP1 and see that the message "A new IP address was leased to a client." is present for N01, N02, and N03, but not for N04. You must troubleshoot this problem. Which configuration step should you take? A Press F4 on Nano Server Recovery Console B Reconfigure NAP server on NAP1 C Remove and re-create DHCP reservation D Disable a firewall rule on N04
Press F4 on Nano Server Recovery Console
You have two configured DHCP scopes named Scope1 and Scope2, and you want to disable dynamic updates for DNS PTR records for both scopes in IPAM. Which configuration process is a possible solution? A Select both DHCP scopes in the IPAM configuration console and use Edit Scope to disable dynamic updates for DNS PTR records for both scopes. B Use the Set-IpamDhcpScope PowerShell cmdlet to disable dynamic updates for DNS PTR records for both scopes. C Select both DHCP scopes in the IPAM configuration console and use Set Access Scope to disable dynamic updates for DNS PTR records for both scopes. D Remove Scope2. Select Scope1 and use Edit Scope to disable dynamic updates for DNS PTR records. Use Duplicate DHCP Scope and name the new scope Scope2.
Remove Scope2. Select Scope1 and use Edit Scope to disable dynamic updates for DNS PTR records. Use Duplicate DHCP Scope and name the new scope Scope2.
You manage a domain named pearson.com. You have a Windows Server 2016 DHCP server named DHCP1 and you want to implement DHCP failover with hot standby mode. You want to choose DHCP2, which is a Windows Server 2016 Nano Server, as a partner server. Which changes must you make so that you can use DHCP2 as a DHCP failover replication partner for DHCP1? (Choose two.) A Authorize DHCP server DHCP2 in ADDS B Add DHCP server DHCP2 to the domain pearson.com C Replace DHCP2 with a Windows Server 2016 Datacenter server D Install the DHCP server role on DHCP2 and authorize DHCP2
Replace DHCP2 with a Windows Server 2016 Datacenter server Install the DHCP server role on DHCP2 and authorize DHCP2
You have configured DNS Dynamic Update Credentials through your Windows Server 2016 IPAM server named IPAM1 for the three DHCP servers DHCP1, DHCP2, and DHCP3 in the forest pearson.com. Last Friday, a backup of all IPAM configuration data was started. You also have backed up all DHCP servers locally and Active Directory. You have to run a restore process for DHCP1. Which additional configuration should you do? A Select all three DHCP servers in the IPAM configuration console and configure new DNS Dynamic Update Credentials. B Select DHCP1 in the IPAM configuration console and configure new DNS Dynamic Update Credentials only for DHCP1. C Restore ipam.mdf and ipam_log.ldf, select all three DHCP servers in the IPAM configuration console, and configure new DNS Dynamic Update Credentials. D Use the Set-IpamDiscoveryDomain PowerShell cmdlet to discover the restored Active Directory Credentials from Active Directory.
Select DHCP1 in the IPAM configuration console and configure new DNS Dynamic Update Credentials only for DHCP1.
You want to enable the name protection feature for dhcp3.pearson.com and dhcp2.pucert.com through IPAM. Which is a possible way to do that? A Select dhcp3.pearson.com and dhcp2.pucert.com together and use Edit DHCP Server Properties in the IPAM configuration console. B Use the Set-DhcpServerv4DnsSetting PowerShell cmdlet with the NameProtection parameter. C Select dhcp3.pearson.com and select Edit DHCP Server Properties in the IPAM configuration console. Then select dhcp2.pucert.com and use Edit DHCP Server Properties in the IPAM configuration console. D Use the Get-IpamDhcpServer PowerShell cmdlet.
Select dhcp3.pearson.com and select Edit DHCP Server Properties in the IPAM configuration console. Then select dhcp2.pucert.com and use Edit DHCP Server Properties in the IPAM configuration console.
Which of the following is not a DANE operation mode? A CA Constraints B Service Certificate Constraints C Trust anchor assertion D Self-Signed Certificate Constraint E Domain-issued certificate
Self-Signed Certificate Constraint
Which PowerShell cmdlet can you use to configure the DNS server's IP address on a DNS client? A Set-DnsClientServerAddress B Set-NetIPInterface C Set-NetIPAddress D Set-DnsClient
Set-DnsClientServerAddress
Which command can you use to enable GlobalNames zones? (Choose two.) A Set-DnsServerGlobalNameZone B Dnscmd C Set-DnsServer D Set-DnsServerPrimaryZone
Set-DnsServerGlobalNameZone Dnscmd
You have installed a Windows Server 2016 DNS server. Now you want to configure the following global DNS settings with PowerShell:Hinder DNS attacksResolve IP address of the ISATAP routerDeny zone transfer to a specific domain or subnetWhich PowerShell cmdlets can you use to implement the desired global DNS settings? (Choose three.) A Set-DnsServerGlobalQueryBlockList B Set-DnsServerRecursionScope C Set-DnsServerResponseRateLimiting D Set-DnsServerCache E Set-DnsServerZoneTransferPolicy F Set-DnsServerGlobalNameZone
Set-DnsServerGlobalQueryBlockList Set-DnsServerResponseRateLimiting Set-DnsServerZoneTransferPolicy
You have a new application named App1 that will produce many unwanted DNS queries. You want to optimize your protection against DDoS attacks, and you want to ensure that App1 can run all required DNS queries without problems. Which settings should you configure on your Windows Server 2016 DNS servers? (Choose two.) A Set-DnsServerDnsSecZoneSetting B Set-DnsServerRRL C Set-DnsServerEDns D Add-DnsServerResponseRateLimitExceptionList E Add-DnsServerSigningKey
Set-DnsServerRRL Add-DnsServerResponseRateLimitExceptionList
You want to configure selective recursion control on your Windows Server 2016 DNS server in your DMZ to configure different recursion settings for internal and external clients. Which of the following PowerShell commands can you use? (Choose three.) A Add-DnsServerResourceRecord B Set-DnsServerRecursionScope C Add-DnsServerRecursionScope D Add-DnsServerQueryResolutionPolicy E Add-DnsServerClientSubnet
Set-DnsServerRecursionScope Add-DnsServerRecursionScope Add-DnsServerQueryResolutionPolicy
You now must secure the TLSA record. You also have to ensure that clients can reach your intranet web server through https://intranet.pearson.com with secure DANE validation. Which implementation should you use? A Request a new server certificate and bind it to your website B Sign the pearson.com zone C Remove Everyone from the ACL of the TLSA record D Activate the two NRPT GPO settings: Enable DNSSEC in This Rule and Require DNS Clients to Check That Name and Address Data Has Been Validated by the DNS Server
Sign the pearson.com zone
You have a Windows Server 2016 DNS server named DNS1 that is authoritative for the AD-integrated zone eu.pearson.com and is the domain controller for the domain eu.pearson.com. You have implemented DNS2 as the secondary DNS server for that zone. DNS2 is a Windows Server 2012 R2 DNS server and the second domain controller for eu.pearson.com. You want to start the DNS data replication between DNS1 and DNS2 immediately. What step does this quickly? A On DNS2, convert eu.pearson.com zone to an AD-integrated zone B Start-DnsServerZoneTransfer -Name "eu.pearson.com" on DNS1 C Repadmin /replicate DNS2 DNS1 DC=eu,DC=pearson,DC=com D Add DNS2 to the notify list of secondary DNS servers on DNS1
Start-DnsServerZoneTransfer -Name "eu.pearson.com" on DNS1
You are responsible for 22 Hyper-V hosts and 12 VMware hosts. The forest pearson.com has only two DHCP servers and two DNS servers. All hosts, virtual machines, and IP address spaces are managed centrally through a SCVMM 2016 server named VMM1. One hundred fifty virtual machines from your customers running on a Windows Server 2016 Hyper-V cluster are also managed through VMM1. Because of the acquisition of another company, you have to integrate the physical and virtual IP address space management IPAM solution of this company into your environment. You create a two-way forest trust between the two forests. The other company has a Windows Server 2016 IPAM server named IPAM2016 with 30 DHCP servers and 25 DNS servers to manage. You want to determine the next steps to use IPAM with SCVMM for physical and virtual IP address space management to centralize the administration. Which implementation should you use? A Deploy an IPAM server on pearson.com. B Add the pearson.com forest to IPAM2016. C Use a third-party IPAM solution. D Synchronize IPAM2016 and VMM1.
Synchronize IPAM2016 and VMM1.
You want to prevent man-in-the-middle attacks, in which an attacker corrupts the DNS cache to point to a different website and provides a certificate issued from a different CA. Which kind of record can you use for this? A TSIG B RRSIG C TLSA D DNSKEY
TLSA
Which of the following is part of a Windows Server 2016 stub zone? (Choose two.) A The IP of one or more master servers that you can use to update the zone B Resource records not contained in a DNS server's zone C A cache of domain names and their associated IP addresses for the most common domains that the organization uses or accesses D Requests for all Internet names forwarded to a DNS server at an ISP E The delegated zone's SOA record, NS record, and A record
The IP of one or more master servers that you can use to update the zone The delegated zone's SOA record, NS record, and A record
You unsign the zone pearson.com on a Windows Server 2016 DNS server. After doing so, you notice that validation requests fail and DNS resolution for the zone fails. Which component do you need to remove to solve the problem? A RRSIG records B Trust anchor C NRPT settings D RRset
Trust anchor
Which new Windows Server feature allows you to add such records? A DANE B DNS policies C Response Rate Limiting D Unknown record support E IPv6 root hints
Unknown record support
Your Active Directory environment consists of one forest with two trees and six domains (see Figure 4-33). Every domain has two domain controllers named DC1 and DC2 with an installed DNS server role. You have created an AD-integrated zone named devtestenv.com on dc1.pearson.com. The zone is signed with DNSSEC. DNS data of this zone is stored in a custom DNS application directory partition. Only the DC1 domain controllers from all domains are enlisted in the scope of that partition. You must ensure that all domain controllers from all domains can get the DNS data replicated from devtestenv.com and that the zone is signed. What is your first step? A Change the replication scope of zone devtestenv.com. B Unsign the zone devtestenv.com. Change the replication scope to all domain controllers running DNS servers in this forest. Re-sign the zone. C Change zone devtestenv.com to Primary. Apply zone type AD integrated with forest replication scope. D Create a new zone named devtestenv2.com. In the DNSSEC Zone Signing Wizard, select Sign the Zone with Parameters of an Existing Zone.
Unsign the zone devtestenv.com. Change the replication scope to all domain controllers running DNS servers in this forest. Re-sign the zone.
You have a Windows Server 2012 IPAM server named IPAM1 in your domain pearson.com. You also have an existing SQL Server named SQL1. IPAM1 is configured with the WID as storage for IPAM configuration data. You want to migrate your existing IPAM database to SQL1 and you want to use that SQL Server as an external database solution for IPAM1. Which solutions are possible? (Choose two.) A Migrate IPAM database of IPAM1 to SQL1. B Install Microsoft SQL Server on IPAM1. C Upgrade IPAM1 to Windows Server 2012 R2. D Upgrade IPAM1 to Windows Server 2016.
Upgrade IPAM1 to Windows Server 2012 R2. Upgrade IPAM1 to Windows Server 2016.
You have installed a Windows Server 2012 R2 DNS server named DNS1. You want to use DNSSEC and DANE. You have to implement all necessary DNS configuration. You realize that not all kinds of resource records can be created on your DNS server. What change do you have to conduct? A Change the DNS zone to AD integrated with forest replication scope B Upgrade the DNS server to Windows Server 2016 C Add another Windows Server 2016 DNS server as the secondary of DNS1 D Enable BIND secondaries and use a BIND server as the secondary DNS for DNS1
Upgrade the DNS server to Windows Server 2016
You need to import 50 IP addresses from the network 112.20.5.0/24 into your IPAM database through a CSV file named addresses.csv. The CSV file contains data for a field named Division. Which configuration steps should you perform? (Choose two.) A Use Add-IPAMCustomField to create the Division field. B Use Format-Custom to prepare the Division field. C Use Add-IPAMCustomValue to add values to Division. D Use Import-IPAMAddress to import from addresses.csv. E Use Import-IpamSubnet to import from addresses.csv. F Use Import-IpamRange to import from addresses.csv. G Ensure that the RIR field and values are available in addresses.csv
Use Add-IPAMCustomField to create the Division field. Use Import-IPAMAddress to import from addresses.csv.
You manage your Windows Server 2016 DHCP servers. You use IPv4 and IPv6 scopes. Which requirement can you not implement through Windows Server 2016 DHCP for IPv6 scopes? A Use the DHCP failover feature in hot standby mode B Deliver the SIP server domain list to DHCP clients C Deliver IP addresses and options D Configure exclusions for scopes E Configure reservations for scopes
Use the DHCP failover feature in hot standby mode
In the DHCP Manager on your Windows Server 2016 DHCP server, you select New Scope to create an IPv4 multicast scope starting with 224. You cannot create the scope. What is the best solution for this problem? A Use the PowerShell cmdlet Add-DhcpServerv4Scope B Create another scope and use Set-DhcpServerv4Scope C Use the PowerShell cmdlet Add-DhcpServerv4MulticastScope D Use the PowerShell cmdlet Add-DhcpServerv4Superscope
Use the PowerShell cmdlet Add-DhcpServerv4MulticastScope
You want to split your DHCP scope with a ratio of 70:30 between two DHCP servers. You want to use a solution without changing the default settings. Which split-scope solution is the best option for this scenario? A Use two DHCP servers configured for DHCP failover with load sharing mode B Use two DHCP servers with manually configured DHCP IPv4 scopes C Use two DHCP servers configured for DHCP failover with hot standby mode D Use two DHCP servers and replicate the DHCP scope through a PowerShell script
Use two DHCP servers with manually configured DHCP IPv4 scopes
You have enabled server logging on your Windows Server 2016 DHCP server. You also have configured that server to dynamically update DNS requests on behalf of the DHCP clients with default settings. You want to view the log information about failed DNS dynamic update events. How do you accomplish this? A View failed DNS dynamic update events on the DNS server B View events with an event ID of 31 on the DHCP server C View failed DNS dynamic update events on the DHCP client D View events with an event ID of 30 on the DHCP server
View events with an event ID of 31 on the DHCP server
You want to sign DNS resource records with NSEC3 and RSA/SHA-2. Which Windows server version can use both standards? A Windows Server 2008 B Windows Server 2012 C Windows Server 2012 R2 D Windows Server 2016
Windows Server 2016
You have two forests, named pearson.com and pearsonucertify.com. In pearson.com, you use a Windows Server 2016 IPAM-based IP address configuration solution. In pearsonucertify.com, you have a Windows Server 2012 R2 IPAM-based IP address configuration solution. You have a two-way transitive forest trust between both forests and you want to exchange IPAM configurations through an automatic replication process between IPAM servers in both forests. You want to use the new Windows Server 2016 multiple-forest support feature to replicate IPAM data between both IPAM environments. Which are correct statements for this? (Choose two.) A You can automatically replicate IPAM data between forests. B You can automatically replicate IPAM data between IPAM servers in the same forest. C You cannot exchange IPAM data between IPAM servers. D You cannot exchange IPAM data between IPAM servers in different forests. E You can manage DNS/DHCP servers in different forests through Windows Server 2016 IPAM server.
You cannot exchange IPAM data between IPAM servers. You can manage DNS/DHCP servers in different forests through Windows Server 2016 IPAM server.
You want to plan your ZSK/KSK rollover process. Select the preferred rollover method for each kind of key. (Choose two.) A ZSK: Prepublishing B ZSK: Double signing C KSK: Prepublishing D KSK: Double signing
ZSK: Prepublishing KSK: Double signing
You are the administrator of pearson.com. You want to specify to your DNS clients the CA from which they should expect certificates for usa.pearson.com. You want to prevent man-in-the-middle attacks. The client has to trust only the referenced SHA-256 certificate in the TLSA record. Which TLSA record is correct? A _443._tcp.usa.nutex.com. IN TLSA 0 1 1 ea0fccb0f5a7f7a4c67... B _443._tcp.usa.nutex.com. IN TLSA 1 1 1 ea0fccb0f5a7f7a4c67... C _443._tcp.usa.nutex.com. IN TLSA 2 1 2 ea0fccb0f5a7f7a4c67... D _443._tcp.usa.nutex.com. IN TLSA 3 1 1 ea0fccb0f5a7f7a4c67...
_443._tcp.usa.nutex.com. IN TLSA 3 1 1 ea0fccb0f5a7f7a4c67...
You have configured a hot standby failover partnership between two Windows Server 2016 DHCP servers named DHCP1 and DHCP2 for the IP scope Scope1. DHCP1 is the active partner. The DHCP service on DHCP1 has crashed after a database corruption. You want to restore Scope1 and ensure that the partnership between both servers is still working after the restore process. Which three commands should you use? A netsh dhcp server import B netsh dhcp server export C backup-dhcpserver D restore-dhcpserver E remove-item F stop-service
backup-dhcpserver restore-dhcpserver remove-item
You want to back up only your Active Directory-integrated zone (pearson.com) on your Windows Server 2016 DNS server named DNS1. Which command you can use for that? A dnscmd DNS1 /ZoneExport "pearson.com" "pearson.com.bak" B Export-DnsServerZone -Name "pearson.com" -FileName "pearson.com" C Wbadmin.exe Start SystemStateBackup -backuptarget: E: D Export-Csv -path pearson.com.csv
dnscmd DNS1 /ZoneExport "pearson.com" "pearson.com.bak" Export-DnsServerZone -Name "pearson.com" -FileName "pearson.com"
You have the following DNS servers: DNS1: Windows Server 2008 R2; Signed Zone: pearson1.com DNS2: Windows Server 2012; Signed Zone: pearson2.com DNS3: Windows Server 2012 R2; Signed Zone: pearson3.com DNS4: Windows Server 2016; Signed Zone: pearson4.com All zones were signed locally by a DNS server. You want to use the PowerShell cmdlet Invoke-DnsServerZoneUnsign to unsign all the zones. Which zone can you not unsign in this way? A pearson1.com B pearson2.com C pearson3.com D pearson4.com
pearson1.com
You have enabled analytical event auditing on your Windows Server 2016 DNS server. You have very high DNS query rates, so your DNS server performance has decreased unacceptably. You want to disable analytical event audit tracing, to see whether this feature is the cause of the unacceptable burden. Which command should you use? A Set-DnsServer Diagnostics -EnableLoggingForServerStartStop Event $true B Set-DnsServerDiagnostics -DebugLogging 0x10000 C Stop-PefTraceSession D tracelog -stop Dns
tracelog -stop Dns
You are responsible for your DNS server monitoring solution. You have a Windows Server 2016 DNS server. You want to enable DNS server analytic logging. Which tool/command can you use? A Set-DnsServerDiagnostics B tracelog.exe C Set-DnsServerSetting D wusa.exe
tracelog.exe
You want to enable the analytical DNS logging feature to get more detailed information about incomplete or incorrectly configured DNS records on your Windows Server 2016 DNS server. Which settings or tools can you use to enable analytical DNS logging and analyze recorded analytical DNS logging data? A tracelog.exe B Debug logging C Test-DnsServer D nslookup
tracelog.exe nslookup
Which types of DNS resource records cannot be created automatically? (You do not want to use scripts.) SRV TXT A MX
txt mx
